Discrepancy on score with certain vectors when compared to FIRST calculator
gscottwilson opened this issue · comments
While looking into the RedHat and FIRST implementations of CVSSV4 calculators we noticed a score discrepancy when certain metrics are selected.
Specifically CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
Notice the RedHat score in this case is 5.9 and FIRST is 6.1
https://redhatproductsecurity.github.io/cvss-v4-calculator/#CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
Is this expected behavior and/or should I bring it up to FIRST?
This looks like a regression, my Go implem computes 6.1 too :/
I'll try to find where the source and post updates soon.
EDIT: had an emergency to handle...
Could be regression in #52 .
Yep, it is there.
@gscottwilson , can you please have look?
Commit 266c4f6 gives 6.1.
Looks like the unrounded score in this case is 5.941666666666666 so the redhat calculator is correctly rounding to 5.9 and the FIRST calculator as deployed is incorrect at 6.1
Unfortunately, rounding was not figured out yet by the SIG, so it is hard to tell which is right and which is wrong. However, I am unsure how 5.941666666666666 could incorrectly be rounded to 6.1, I would expect 6.0?
Anyway, I have a colleague who may have some time to tackle rounding issues for good somewhat soon™.
Sounds good. Thanks for the heads up
Had a chance to dive deeper on this and discovered it is indeed a regression due to my refactor. Apologies for the confusion introduced.
The 5.9 was a red herring and 6.1 was correct.
I’ve resolved the issue and sending a PR for your review.