CVSS vector should be generated in Base/Threat/Environmental/Supplemental order

RedHatProductSecurity / cvss-v4-calculator

CVSS v4.0 calculator

https://redhatproductsecurity.github.io/cvss-v4-calculator/

BSD 2-Clause "Simplified" License

32 stars 22 forks source link

CVSS vector should be generated in Base/Threat/Environmental/Supplemental order #34

Closed ViperGeek closed 10 months ago

ViperGeek commented 11 months ago

When we asked to reorder the Base and Supplemental sections of the GUI, the vector string got inadvertently reordered as well. In all our docs, JSON, and regex, the official order of the CVSS vector string is:

AV/AC/AT/PR/UI/V[CIA]/S[CIA]/E/[CIA]R/MAV/MAC/MAT/MPR/MUI/MV[CIA]/MS[CIA]/S/AU/R/V/RE/U

(Base/Threat/Environmental/Supplemental)

Please keep the GUI arrangement as-is, but update the vector string generation order.

pandatix commented 10 months ago

Fixed by #35, merged :tada:

ViperGeek commented 10 months ago

This may be unrelated to this fix, but it seems like the Supplemental Metrics no longer "stick" when selected:

https://redhatproductsecurity.github.io/cvss-v4-calculator/

pandatix commented 10 months ago

Thanks for the info Dave, I'll test it and provide a fix as soon as possible :)

EDIT: easy to diagnose, I did not implement the behavior of (non-)mandatory metrics, working on it.