Giters

RedHatProductSecurity / cvss-v4-calculator

CVSS v4.0 calculator

Home Page:https://redhatproductsecurity.github.io/cvss-v4-calculator/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Modified metrics should impact score

j--- opened this issue · comments

commented

When the env metrics are used to modify a base metric value, the score should be calculated as if the env metric is the value.

Note that the following scores, [1] and [2] should have the same output, but in fact [1] and [3] have the same output.

  1. https://skontar.github.io/cvss-v4.0-calculator/#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/CR:H/IR:H/AR:H/MAV:P/MAC:H/MAT:P/MPR:H/MUI:A
  2. https://skontar.github.io/cvss-v4.0-calculator/#CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/CR:H/IR:H/AR:H/MAV:P/MAC:H/MAT:P/MPR:H/MUI:A
  3. https://skontar.github.io/cvss-v4.0-calculator/#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/CR:H/IR:H/AR:H

Perhaps something like this added to checkMetric(metric, value) for each modified env metric (except MSA and MSI, which are going to need to be special cases because of the way that MSA is the only place Safety can be selected)

Lines 124-126 makes sense, but I think it needs something more to account for the env inputs effected the computed score. Perhaps

if(metric[0] == "M") {
   if(selected == "X") {
                return value == this.selectedValues[metric.slice(1)]
            }
    else {
       metric.slice(1).value == selected
    }
}

Sorry, I don't speak javascript very well, but I hope this is intelligible to a human at least.

For MSA and MSI, it it may need to be checked separately, since "S" won't be a legal SA or SI value. Or the macrovector lookup can change to account for this.

commented

I think I do not understand correctly how modified env metric is supposed to be used.
Is either or both assumptions below true?

  1. If modified metric is set, then treat non-modified one to be equal to modified for computation purposes.
  2. If modified metric is not set, treat the modified one to be equal to non-modified for computation purposes.
commented

This may be overly simplistic, but the way I think of it is:

AV=$VALUE
if (MAV != X) AV=MAV

etc.

In other words, Modified versions of the Base Metrics completely override the value set for that Base Metric.

And as Jono said, MSI and MSA may have to be handled differently (although conceptually the same way) because there are additional values (S) that do not exist in the SI and SA base metrics.

commented

I think I understand now. I used the following code instead:

// All other environmental metrics just overwrite base score values,
// so if they’re not defined just use the base score value.
if(Object.keys(this.selectedValues).includes("M" + metric)) {
    modified_selected = this.selectedValues["M" + metric]
    if(modified_selected != "X" && modified_selected != "S") {
        return value == modified_selected
    }
}
commented

I hope this issues is fixed by 5aa9724 . In case it is not, please let me know.