skontar
commented
3 years ago Thanks for reaching out.
It seems to be caused by the equation and rounding algorithms design as described in the 3.1 standard. I have just checked the first vector and it matches the reference implementation: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
This library uses Decimal to get exact arithmetic and should not be affected by any floating point errors. Also note that the specification for rounding changed between 3.0 and 3.1 to be easier to reproduce on different platforms. The implementation recommendation described by First should have some specific steps to prevent floating point errors on platforms which do not support exact arithmetic.
I do not see any issue and I will be closing this as "not a bug". If you by any chance find an evidence of implementation not matching the standard, please let me know.
jljuan
Version: CVSS 2.2
Dear skontar,
While trying your tool, I detected something strange:
CVE-ID CVSS-SCORE | cvss3.clean_vector() cvss3.scores() cvss3.severities() CVE-2020-10713 8.2 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (8.2, 8.2, 8.3) ('High', 'High', 'High') CVE-2019-9500 8.3 | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H (8.3, 8.3, 8.4) ('High', 'High', 'High') CVE-2019-9503 8.3 | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H (8.3, 8.3, 8.4) ('High', 'High', 'High') CVE-2020-14372 7.5 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H (7.5, 7.5, 7.6) ('High', 'High', 'High') CVE-2020-25632 8.2 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (8.2, 8.2, 8.3) ('High', 'High', 'High') CVE-2020-25647 7.6 | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, 7.6, 7.7) ('High', 'High', 'High') CVE-2020-27779 7.5 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H (7.5, 7.5, 7.6) ('High', 'High', 'High') CVE-2021-20233 8.2 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (8.2, 8.2, 8.3) ('High', 'High', 'High') CVE-2020-2803 8.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H (8.3, 8.3, 8.4) ('High', 'High', 'High') CVE-2020-2805 8.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H (8.3, 8.3, 8.4) ('High', 'High', 'High') CVE-2020-14583 8.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H (8.3, 8.3, 8.4) ('High', 'High', 'High') CVE-2019-10063 9.0 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H (9.0, 9.0, 9.1) ('Critical', 'Critical', 'Critical') CVE-2019-9811 8.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H (8.3, 8.3, 8.4) ('High', 'High', 'High') CVE-2020-3962 8.2 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (8.2, 8.2, 8.3) ('High', 'High', 'High') CVE-2020-3969 7.8 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H (7.8, 7.8, 7.9) ('High', 'High', 'High') CVE-2020-3967 7.5 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H (7.5, 7.5, 7.6) ('High', 'High', 'High') CVE-2020-3968 8.2 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (8.2, 8.2, 8.3) ('High', 'High', 'High') CVE-2020-3966 7.5 | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H (7.5, 7.5, 7.6) ('High', 'High', 'High') CVE-2020-4004 8.2 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (8.2, 8.2, 8.3) ('High', 'High', 'High')
As you can see, for these cases, environmental score are higher than the base one while nothing in the vector may change it.
Do you thing this can be an error on computation precision ?