Closed Zalutskii closed 1 month ago
Hi! We are aware of rounding issues caused mostly by using floats instead of Decimals
in CVSS v4 implementation.
In this specific case, it is because 8.45 cannot be represented correctly in float
.
>>> print(8.45)
8.45
>>> print(f"{8.45:0.20f}")
8.44999999999999928946
>>> round(8.45, 1)
8.4
We are currently working on making sure both Javascript and Python implementations will return the same – and expected – values.
We will be likely using the following:
>>> from decimal import ROUND_HALF_UP
>>> float(D(8.45 * 10).quantize(D("1"), rounding=ROUND_HALF_UP) / 10)
8.5
We are currently in phase of testing. FYI, @superbuggy , you can check this specific vector.
https://github.com/RedHatProductSecurity/cvss/blob/e4cf69bea6bcfa1cbc38dca13b9ec8bf3363a475/cvss/cvss4.py#L55 The round_away_from_zero function is not working correctly. For values
round_away_from_zero(8.45, 1)
should return8.5
, but it returns8.4
. https://python-fiddle.com/saved/IKHz08xWhe4LsUnxAAez This error leads to incorrect calculation of score for some vectors. For example, for the vectorCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:L/IR:L/AR:L/MAV:N/MAC:L/MAT:N/MPR:L/MUI:A/MVC:H/MVI:H/MVA:H/MSC:H/MSI:S/MSA:S/S:P/AU:Y/R:I/V:C/RE:H/U:Red
score should be8.5
and not8.4
.