Invalid CVSS v3 environmental score computation
pandatix opened this issue · comments
Still while fuzzing the implementation, I discovered that environmental scores were not computed properly, leading to invalid scores.
For instance, the following Go code computes the three scores and prints them.
package main
import (
"fmt"
"log"
"github.com/goark/go-cvss/v3/metric"
)
func main() {
vec, err := metric.NewEnvironmental().Decode("CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N/MS:C")
if err != nil {
log.Fatal(err)
}
b, t, e := vec.Base.Score(), vec.Temporal.Score(), vec.Score()
fmt.Printf("Scores: %.1f;%.1f;%.1f\n", b, t, e)
}produces ->
Scores: 5.4;5.4;6.4
You can check this input is valid, using the official first.org calculator but then computes an environmental score of 6.5.
