lounagen
commented
3 years ago Hi @michael-hinterdorfer, Thanks for this patch, i've just encountered the same issue on environmental score.
About the getVector update, which compress/remove the undefined ( X ) metrics, i checked the specification and indeed we have the choice to keep them or not in the CVSS 3.1 vector.
The first online calculator removes them but the nist online calculator keeps them:
- first: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L/MAV:N/MC:H
- nist: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L/CR:X/IR:X/AR:X/MAV:N/MAC:X/MPR:X/MUI:X/MS:X/MC:H/MI:X/MA:X&version=3.1
Would it be acceptable, to simplify human eyes comparisons, grep, ... to have a getVector() without arg which do the default behaviour (the new one which removes or the previous one for retrocompatibility) and a getVector(includeAll = true/false) form which would allow to choose the expanded or compress form?
michael-hinterdorfer
sschuberth
NOT_DEFINED("X") -> otherwise the environmental score is zero if not all fields are setgetVector()method to only return vector fields that have a value assigned (allNOT_DEFINEDfields are removed from the vector string)the changes are based on the cvss-calculator script from first.org (https://www.first.org/cvss/calculator/cvsscalc31.js)