Fixed wrong environmental score calculation if MAC/MAV/MPR/MUI/MS are set to NOT_DEFINED

stevespringett / cvss-calculator

A Java library for calculating CVSSv2 and CVSSv3 scores and vectors

Apache License 2.0

39 stars 23 forks source link

Fixed wrong environmental score calculation if MAC/MAV/MPR/MUI/MS are set to NOT_DEFINED #35

Closed sapsimon closed 3 years ago

sapsimon commented 3 years ago

When MAC/MAV/MPR/MUI/MS was set to NOT_DEFINED the wrong score was calculated, because there was no fallback case to the "not modified" scores AC/AV/PR/UI/S, instead the score weight 0 was used. This caused wrong calculations (see regression tests)

stevespringett commented 3 years ago

Thanks for the PR. Does this only affect CVSS v3.1 or does it also impact v3.0?

sapsimon commented 3 years ago

As I have seen, this seem only to impact v3.1. v3.0 implementation does not contain the scores MAC/MAV/MPR/MUI/MS.

stevespringett commented 3 years ago

Thanks what my assumption was, but thanks for confirming.