Bug/compliance: metrics with invalid value gives NaN score
pandatix opened this issue · comments
Hello, according to the currently published specification Table 24, metrics could have a limited set of values as they are enumerated.
Nevertheless, after #1 you could provide the vector string from the URL as the previous FIRST calculators does (great feature btw 👍 ).
Using this, you could provide, for instance, the vector CVSS:4.0/AV:F/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
with AV
metric having invalid value F
through the URL https://redhatproductsecurity.github.io/cvss-v4-calculator/#CVSS:4.0/AV:F/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N, which is then parsed, supposed valid, and a score is computed : NaN
(with rating Critical
).
This could be considered part of CWE-20.
Such bug/compliance issue is common in CVSS implementations as I observed through many others, and you should consider ensuring each metric value is valid according to the specified enumerations (maybe by having a lookup table).