Environmental score differs from base score without any overrides

[JJK96]

See the following output:

$ python
Python 3.10.9 (main, Dec  7 2022, 01:12:00) [GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import cvss
>>> c = cvss.CVSS3("CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H")      
>>> c.base_score
Decimal('9.0')
>>> c.environmental_score
Decimal('9.1')

The given vector contains no environmental entries, yet the score still differs. This matches the behaviour of the CVSS calculator by first.org, however, it is still incorrect.

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator calculates it correctly.

[skontar]

Hello and thanks for reaching out!

Even when it is not intuitive, NVD implementation is not correct.

Unfortunately, CVSS v3.1 requirements are not easy to implement in languages with different representations for real numbers. Equations are written using real numbers and Python Decimal is the most correct way to compute the values. CVSS v3.1 specification has an Appendix A - Floating Point Rounding, which explains how to do the computations correctly using floating point numbers. It seems that NVD implementation is not following this recommendation.

See official First reference implementation: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Also, this issue is a duplicate, see discussion on https://github.com/RedHatProductSecurity/cvss/issues/28 .

I do not see any issue and I will be closing this as "not a bug". If you by any chance find an evidence of implementation not matching the standard, please let me know.