Discrepancy on score with certain vectors when compared to FIRST calculator

[gscottwilson]

While looking into the RedHat and FIRST implementations of CVSSV4 calculators we noticed a score discrepancy when certain metrics are selected.

Specifically CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Notice the RedHat score in this case is 5.9 and FIRST is 6.1 https://redhatproductsecurity.github.io/cvss-v4-calculator/#CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Is this expected behavior and/or should I bring it up to FIRST?

[pandatix]

This looks like a regression, my Go implem computes 6.1 too :/ I'll try to find where the source and post updates soon.

EDIT: had an emergency to handle...

[skontar]

Could be regression in https://github.com/RedHatProductSecurity/cvss-v4-calculator/pull/52 .

[skontar]

Yep, it is there.

[skontar]

@gscottwilson , can you please have look?

[skontar]

Commit 266c4f6 gives 6.1.

[gscottwilson]

Looks like the unrounded score in this case is 5.941666666666666 so the redhat calculator is correctly rounding to 5.9 and the FIRST calculator as deployed is incorrect at 6.1

[skontar]

Unfortunately, rounding was not figured out yet by the SIG, so it is hard to tell which is right and which is wrong. However, I am unsure how 5.941666666666666 could incorrectly be rounded to 6.1, I would expect 6.0?

Anyway, I have a colleague who may have some time to tackle rounding issues for good somewhat soon™.

[gscottwilson]

Sounds good. Thanks for the heads up

[gscottwilson]

Had a chance to dive deeper on this and discovered it is indeed a regression due to my refactor. Apologies for the confusion introduced. The 5.9 was a red herring and 6.1 was correct. I’ve resolved the issue and sending a PR for your review.