Add support for CVSS v4

[mprpic]

CVSS v4 is around the corner according to: https://www.first.org/cvss/v4-0/cvss-v40-presentation.pdf#page=34

This issue tracks all the necessary work to add v4 support to this library.

Jira issue: SECDATA-77

[skontar]

https://www.first.org/cvss/v4-0/ is just an empty placeholder, it says that "Links on the left lead to CVSS version 4.0's specification and related resources." but that does not seem to be true.

Presentation says that "Request for Public Comment: October 2022", do we have anyone on CVSS sig? Previously (3.0, 3.1), we had a lot of problems with computation algorithm description, which was rather vague and different implementations and programming languages got to different values.

[mprpic]

@rehakm is on the CVSS SIG and will find out more about specific dates at the upcoming SIG meeting.

[skontar]

I have attended the recent CVSS SIG meeting and agreed to have us develop a reference implementation of a calculator (so technically updating this library) in Python.

[marco-silva0000]

hey @skontar I noticed you implemented https://github.com/RedHatProductSecurity/cvss-v4-calculator . does that mean you wont work on the python update for it?

[skontar]

@marco-silva0000 someone will definitely work on the Python library update. I am not sure if that will be me or anyone else on the team. However, the CVSS v4 is still not mature enough, so I would not recommend jumping on it just yet. The reference implementation you pointed out is not necessarily final yet.

[AdrianVollmer]

Looks like it's now final: https://www.first.org/cvss/calculator/4.0

[skontar]

I am aware of that. Unfortunately, currently it is not our priority. If anyone is willing to port the logic from https://github.com/RedHatProductSecurity/cvss-v4-calculator and integrate it to this library, it would be appreciated. Otherwise it will take a while. Sorry about that.

[bp4151]

@skontar I can do it, but you don't have a Contributor.md so I am unclear as to how you folks want the integration done. Standard fork and PR for an external contributor?

[skontar]

@bp4151 you are right, we should probably work on that. Standard fork + PR is fine. Check what checks are running on the code here, so you can check locally. Try to follow style / structure of the library and you should be fine. @mprpic did I forget anything?

[skontar]

Also beware that we need to support Python 2.7 until June 2024.

[bp4151]

@skontar

Also beware that we need to support Python 2.7 until June 2024.

I am following the current codebase structure with the constants and class files and shoveling the code from the separate CVSS4 project, so the Python 2.7 support should still be there. Hoping to have a first run by end-of-weekend.

[TitusA7]

@skontar

Also beware that we need to support Python 2.7 until June 2024.

I am following the current codebase structure with the constants and class files and shoveling the code from the separate CVSS4 project, so the Python 2.7 support should still be there. Hoping to have a first run by end-of-weekend.

Hey, are there any updates regarding the CVSS4 integration?

[bp4151]

@TitusA7 Unfortunately (or fortunately depending on your perspective) the day job has gotten in the way. I am hoping to continue on this into the new year as time permits, but I can't make it a priority given what I have on my plate.

[jobiewinserapck]

I've added a PR for my implementation: https://github.com/RedHatProductSecurity/cvss/pull/45

I based it on the js implementation: https://github.com/RedHatProductSecurity/cvss-v4-calculator

[skontar]

I will keep this open until we create another release.

[skontar]

Huge thanks to @jobiewinserapck for implementation!

[rvemous-ct]

Is it possible to create a release which supports v4.0?

[skontar]

Yes. Probably this week. We are still looking at some rounding issues in Javascript implementation, but I think this should not impact precise arithmetic in Python implementation.

[jobselko]

CVSS4 was released in 3.0. I am closing this issue.