Closed Harm-Nullix closed 2 years ago
Hi @HarmNullix ,
Thanks for bringing this to our notice. This issue has been fixed on a separate branch and PR is up here - https://github.com/security-breachlock/vuln-vects/pull/3
Moreover, there is something I'd like to bring into light here.
The NVD Calculator here seems to interpret the vectors differently. The base score that you mentioned in your comment i.e., 5.4 seems to be wrong for the given vector. Here's why - NVD calculator interprets the vectors passed in their URL parameters based on the order in which they are passed rather than the keys and their values.
For example, lets consider the below vectors:
If the above vectors are carefully observed, they are same but just the position/order of the Modified Environmental Metrics were changed (See the comparison screenshot for clarity). But the NVD calculator gives different scores for them while in ideal case it shouldn't.
vuln-vects library does not work on the order of data passed but on the keys and values of the different metrics to ensure robustness.
With that said, the score for the mentioned vector would be 3.1 but not 5.4 if I'm not wrong.
Hi @saikop99 ,
I think you did a fine observation of a fluke in the vector parsing of another based on a issue in your own. I find that a cool way to approach your issues, doing some background search.
For my example, looking back.. I see that if I copy the string back into the calculator, other results come out. I think your point is valid, but I did some wrong copying of the scores myself too.
Thank you for your support and the PR!
Hi. Just want to ask. are you going ro release a new npm version for the fix? Thank you in advance Rocco
@lambdacasserole
@HarmNullix @codethatrocks @saikop99 @security-breachlock This is fixed in v1.1.0 (now on npm).
I tried to put an extended CVSS score string I calculated using https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator.
The basic CVSS strings work perfect, no trouble. The result however suggests that it is possible to put in an expanded string with temporal and environmental values (based on the output):
However, using an extended score seems to break the calculation and throws an error:
while it should give something like
Run on node 16.13.2.
Am I doing something wrong, a bug or is this a not implemented part yet? It is strange that the error says value "U", while in the whole string, not a single "U" value is found. It only exists in the "UI" and "MUI" keys. If not implemented, outputting the results should not be done; for it is confusing what the function of this calculator is.
Thanks you for looking into this.
Full code: