Open pandatix opened 1 year ago
Release v1.6.4.
It was not fixed properly, as the vector AV:L/AC:M/Au:S/C:N/I:N/A:P/CDP:N/TD:ND/CR:M/IR:ND/AR:ND
now produces an environmental score of 1.6 despite it effectively being 1.5.
Hmmm... Released v1.6.5. Is it OK?
Now, the vector AV:A/AC:M/Au:S/C:C/I:C/A:C/CDP:N/TD:N/CR:M/IR:ND/AR:L
returns an environmental score of 7.1 but should be 0.0.
Sorry! Released v1.6.6.
Thank you for many advices.
Sorry, I still have some issues to raise about this, but I first need to fix the NVD due to the same issue :')
Hi, sorry for the looong wait, seems like they won't fix it... So here is the issue !
Let's take again the CVSS v2 vector "AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:L/IR:ND/AR:ND" with Base and Environmental groups defined.
If we strictly apply the specified formulas section 3.2.3 for the adjusted impact, we end up with 9.60372468
.
I didn't deeply checked where the issue occurs in your implementation, but for instance in the NVD implementation it occurs when computing the adjusted temporal. With formulas you have round_to_1_decimal(((0.6*9.60372468)+(0.4*6.4579328)-1.5)*1.176) = round_to_1_decimal(8.050199723328) = 8.1
, when your implementation returns 8.0
.
Maybe, due to this rounding edge case, you return an environmental score of 9.0 rather than 9.1 (would be worth to check this first).
:thinking: ...
Hey, any news on fixing it ? It may be nice to get it before we release CVSS v4.0 thus your implementation could be used without this rounding issue :)
sorry. I'm too busy with my day job to fix go-cvss. There are no specific plans for CVSSv4 either.
Oh, I'm sorry to hear that. If you think this is appropriate maybe archive the project to let it available while read-only. Hope you do well
During differential fuzzing with
github.com/pandatix/go-cvss
I discovered that your implementation does not properly computes CVSS v2 environmental scores (as for #18).For instance, the vector
AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:L/IR:ND/AR:ND
have an environmental score of 9.0, according to the NVD CVSS v2 calculator. Nevertheless, the following Go code illustrates this issue i.e. invalid scores.produces ->