Macrovector=1 does not always mean "Medium"

[ahouseholder]

I think the data structure in https://github.com/RedHatProductSecurity/cvss-v4-calculator/blob/5d7a90c66be1f0c1432f8c279e12e856943b7efb/cvss_details.js#L13-L18

is incorrect in its assumption that a macrovector value of 1 always means "Medium".

Macrovectors 1, 3, 4, and 5 can take on 3 values (0, 1, 2) so it makes sense that they would have "High, Medium, Low" mapped onto these.

However, Macrovectors 2 and 6 only have 2 values (0,1), which means the data structure referenced above will translate that in the UI to "High, Medium". This begs the question "What about Low?"

I would expect the above to be Low, Low, Low, Low, High, Low instead of Low, Medium, Low, Low, High, Medium.

It seems like the translation for Macrovectors 2 and 6 needs to use a different lookup table. Perhaps something like:

cvssMacroVectorValues2 = {
  "0": "High",
  "1": "Low",
  "2": "None",
}

[skontar]

@ViperGeek can you please have a look? I vaguely remember that these names were just a bonus and not really meant for anything when implemented, but do not know if situation changed.

[ViperGeek]

Hi @skontar.

I believe you are correct. The little (+) in the GUI was originally intended as a debugging tool to help people decide between the various interpolation methods. Unless you disagree, I think this functionality can be removed or commented out.

[ViperGeek]

P.S. @ahouseholder, your analysis is accurate. For macrovectors that have only two values, they should be assigned High and Low. Perhaps we can implement this in a future debug branch.