pandatix
commented
1 week ago I confirm this is an issue in the specification. No "base score" notion exist in CVSS v4, as the scoring takes the Base+Threat+Environmental metrics groups ;)
Open n3rada opened 1 week ago
pandatix
commented
1 week ago I confirm this is an issue in the specification. No "base score" notion exist in CVSS v4, as the scoring takes the Base+Threat+Environmental metrics groups ;)
n3rada
commented
1 week ago Thanks. That was to be sure. Thus, if you have contacts with FIRST people, you may report this to them.
Because the specification should be updated in order to stay serious. This new CVSS is going to be used in really huge companies. 😊
You guys are really great people by the way.
pandatix
commented
1 week ago Poke @nickleali :)
nickleali
commented
1 week ago Yep thanks for bringing this to our attention. The FIRST CVSS SIG is aware of the inconsistencies in the CVSS v4.0 JSON schema and the documentation with regards to the nomenclature. We're tracking on updating the terminology in the schema and documentation.
The concern now is if we do an update between versions, we risk breaking functionality for 4.0. The plan is to include these updates with 4.1, but if you are looking at doing a refactor of the calculator with the new terminology, possibly we can have a draft of the schema early to share.
Let's continue to coordinate on this. I'll bring this item up at our next CVSS SIG meeting.
n3rada
commented
1 week ago There are multiple issues in FIRST website. The examples provided seem inconsistent and vulnerabilities are not well scored, according to discussions I've had with senior pentesters in daily life.
Concerning next 4.1, the refactor provides a clean class structure, making future changes much easier to integrate!
nickleali
commented
1 week ago If you identify any examples with inaccuracies, or any other issues in the FIRST CVSS site, please let me know at cvss@first.org and I'd be happy to address them. If there are examples that could be added to the examples document, you could request those as well for me to add in a future updates. Always looking to provide more details for the community.
n3rada
commented
1 week ago I will totally do that in next weeks. Thanks a lot.
During the refactorisation, we were all talking about respecting or not the JSON format for variable names. Required ones are "version", "vectorString", "baseScore", "baseSeverity".
But I remember than @pandatix disagree with this notion.
And that why we are currently using more logical things such as
score,equivalentClassesand so on.The specification document talks about "Base Score":
This is just to initiate a conversation about this topic. I didn't see a "Discussions" tab in the repository, so I decided to open an issue instead. 😊