Incorrect metric order

[hdonnay]

https://github.com/RedHatProductSecurity/cvss-v4-calculator/blob/201eb28364f3c35a8b3b03f3da9f51835ed61bde/metrics.js#L12-L17

The metric order is incorrect per spec.

A vector string must contain metrics in the order shown in Table 23, every other ordering is invalid.

Table 23: Base, Threat and Environmental Vectors

Metric Name (and Abbreviated Form)
...
Vulnerable System Confidentiality Impact (VC)
Subsequent System Confidentiality Impact (SC)
Vulnerable System Integrity Impact (VI)
Subsequent System Integrity Impact (SI)
Vulnerable System Availability Impact (VA)
Subsequent System Availability Impact (SA)
...

[skontar]

@pandatix, can you please check?

[pandatix]

My bad this is a refactoring relica in the specification, we decided the order for the Base group is AV / AC / AT / PR / UI / VC / VI / VA / SC / SI / SA. The idea behind VC / VI / VA / SC / SI / SA rather than VC / SC / VI / SI / VA / SA is to reduce the cognitive load of scoring a vulnerability through CVSS v4.0 by setting them aside, so an analyst don't have to switch contexts (vulnerable system and subsystems) all the time.

I will see with @ViperGeek to fix this in the spec :wink: Good catch !

[ViperGeek]

Acknowledged. Thank you @hdonnay for reporting this. I will update the CVSS v4.0 Specification Document and provide errata (somehow). Editing the spec is easy. I'm currently figuring out the best way to record the errata. IETF has standard ways of recording it (ref. https://www.ietf.org/about/groups/iesg/statements/processing-errata-ietf-stream/) but as far as I know, this is a first for FIRST.

[pandatix]

The spec has been fixed in version 1.1 @skontar, can close the issue :)