CVSS4 round_away_from_zero error

[Zalutskii]

https://github.com/RedHatProductSecurity/cvss/blob/e4cf69bea6bcfa1cbc38dca13b9ec8bf3363a475/cvss/cvss4.py#L55 The round_away_from_zero function is not working correctly. For values round_away_from_zero(8.45, 1) should return 8.5, but it returns 8.4. https://python-fiddle.com/saved/IKHz08xWhe4LsUnxAAez This error leads to incorrect calculation of score for some vectors. For example, for the vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:L/IR:L/AR:L/MAV:N/MAC:L/MAT:N/MPR:L/MUI:A/MVC:H/MVI:H/MVA:H/MSC:H/MSI:S/MSA:S/S:P/AU:Y/R:I/V:C/RE:H/U:Red score should be 8.5 and not8.4.

[skontar]

Hi! We are aware of rounding issues caused mostly by using floats instead of Decimals in CVSS v4 implementation.

In this specific case, it is because 8.45 cannot be represented correctly in float.

>>> print(8.45)
8.45
>>> print(f"{8.45:0.20f}")
8.44999999999999928946
>>> round(8.45, 1)
8.4

We are currently working on making sure both Javascript and Python implementations will return the same – and expected – values.

We will be likely using the following:

>>> from decimal import ROUND_HALF_UP
>>> float(D(8.45 * 10).quantize(D("1"), rounding=ROUND_HALF_UP) / 10)
8.5

[skontar]

We are currently in phase of testing. FYI, @superbuggy , you can check this specific vector.

[skontar]

Resolved by https://github.com/RedHatProductSecurity/cvss/pull/61