search

goark / go-cvss

Common Vulnerability Scoring System (CVSS)
Apache License 2.0
23 stars 6 forks source link

Invalid CVSS v2 environmental score computation #33

Open pandatix opened 1 year ago

pandatix commented 1 year ago

During differential fuzzing with github.com/pandatix/go-cvss I discovered that your implementation does not properly computes CVSS v2 environmental scores (as for #18).

For instance, the vector AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:L/IR:ND/AR:ND have an environmental score of 9.0, according to the NVD CVSS v2 calculator. Nevertheless, the following Go code illustrates this issue i.e. invalid scores.

package main

import (
    "fmt"
    "log"

    "github.com/goark/go-cvss/v2/metric"
)

func main() {
    raw := "AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:L/IR:ND/AR:ND"
    vec, err := metric.NewEnvironmental().Decode(raw)
    if err != nil {
        log.Fatal(err)
    }

    b, t, e := vec.Base.Score(), vec.Temporal.Score(), vec.Score()
    fmt.Printf("Scores: %.1f;%.1f;%.1f\n", b, t, e)
}

produces ->

Scores: 8.3;8.3;9.1
spiegel-im-spiegel commented 1 year ago

Release v1.6.4.

pandatix commented 1 year ago

It was not fixed properly, as the vector AV:L/AC:M/Au:S/C:N/I:N/A:P/CDP:N/TD:ND/CR:M/IR:ND/AR:ND now produces an environmental score of 1.6 despite it effectively being 1.5.

spiegel-im-spiegel commented 1 year ago

Hmmm... Released v1.6.5. Is it OK?

pandatix commented 1 year ago

Now, the vector AV:A/AC:M/Au:S/C:C/I:C/A:C/CDP:N/TD:N/CR:M/IR:ND/AR:L returns an environmental score of 7.1 but should be 0.0.

spiegel-im-spiegel commented 1 year ago

Sorry! Released v1.6.6.

spiegel-im-spiegel commented 1 year ago

Thank you for many advices.

pandatix commented 1 year ago

Sorry, I still have some issues to raise about this, but I first need to fix the NVD due to the same issue :')

pandatix commented 1 year ago

Hi, sorry for the looong wait, seems like they won't fix it... So here is the issue !

Let's take again the CVSS v2 vector "AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:L/IR:ND/AR:ND" with Base and Environmental groups defined. If we strictly apply the specified formulas section 3.2.3 for the adjusted impact, we end up with 9.60372468. I didn't deeply checked where the issue occurs in your implementation, but for instance in the NVD implementation it occurs when computing the adjusted temporal. With formulas you have round_to_1_decimal(((0.6*9.60372468)+(0.4*6.4579328)-1.5)*1.176) = round_to_1_decimal(8.050199723328) = 8.1, when your implementation returns 8.0. Maybe, due to this rounding edge case, you return an environmental score of 9.0 rather than 9.1 (would be worth to check this first).

spiegel-im-spiegel commented 1 year ago

:thinking: ...

pandatix commented 1 year ago

Hey, any news on fixing it ? It may be nice to get it before we release CVSS v4.0 thus your implementation could be used without this rounding issue :)

spiegel-im-spiegel commented 1 year ago

sorry. I'm too busy with my day job to fix go-cvss. There are no specific plans for CVSSv4 either.

pandatix commented 1 year ago

Oh, I'm sorry to hear that. If you think this is appropriate maybe archive the project to let it available while read-only. Hope you do well