Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed Environmental Score calculation in CvssV3_1 #17

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fixed Environmental Score calculation in CvssV3_1 #17

wants to merge 2 commits into from

Conversation

michael-hinterdorfer
Copy link
Contributor

@michael-hinterdorfer michael-hinterdorfer commented Feb 11, 2021
edited
Loading

  • fixed environmental score calculation by using base score values if the environmental score values are null or NOT_DEFINED ("X") -> otherwise the environmental score is zero if not all fields are set
  • updated getVector() method to only return vector fields that have a value assigned (all NOT_DEFINED fields are removed from the vector string)
  • added check for negative values (invalid, use zero instead)
  • updated/added tests

the changes are based on the cvss-calculator script from first.org (https://www.first.org/cvss/calculator/cvsscalc31.js)

@michael-hinterdorfer
Fixed Environmental Score calculation in CvssV3_1
f1b8231 
* fixed environmental score calculation by using base score values if the environmental score values are null or "X" (not defined) -> otherwise the environmental score is zero if not all fields are set
* updated getVector() method to only return vector fields that have a value assigned (all "X"/NOT_DEFINED fields are removed from the vector string)
* added check for negative values (invalid, use zero instead)
* updated/added tests
@lounagen
Copy link

lounagen commented Feb 17, 2021
edited
Loading

Hi @michael-hinterdorfer,
Thanks for this patch, i've just encountered the same issue on environmental score.

About the getVector update, which compress/remove the undefined ( X ) metrics, i checked the specification and indeed we have the choice to keep them or not in the CVSS 3.1 vector.
The first online calculator removes them but the nist online calculator keeps them:

Would it be acceptable, to simplify human eyes comparisons, grep, ... to have a getVector() without arg which do the default behaviour (the new one which removes or the previous one for retrocompatibility) and a getVector(includeAll = true/false) form which would allow to choose the expanded or compress form?

@michael-hinterdorfer
Copy link
Contributor Author

Hi @lounagen,
it's a good idea to add a second getVector() method with a parameter.
I will keep the current implementation as it is (remove X values) and add a second method for getting the whole vector (including X values).

nscuro added a commit to nscuro/cvss-calculator that referenced this pull request May 22, 2024
@nscuro @michael-hinterdorfer
Fix calculation of CVSSv3.1 environmental scores
2d45d9a 
* Fixed environmental score calculation by using base score values if the environmental score values are null or NOT_DEFINED ("X") -> otherwise the environmental score is zero if not all fields are set
* Adds check for negative values in `CvssV3#roundNearestTenth`

Extracted from stevespringett#17

Aligns `CvssV3_1#calculateScore` with the calculator from first.org (https://www.first.org/cvss/calculator/cvsscalc31.js).

Aside from fixing the score calculation, it also streamlines the calculation logic by removing unnecessary nesting.

Co-authored-by: Michael Hinterdorfer <[email protected]>
nscuro added a commit to nscuro/cvss-calculator that referenced this pull request May 22, 2024
@nscuro @michael-hinterdorfer
Fix calculation of CVSSv3.1 environmental scores
9b7c6a8 
* Fixed environmental score calculation by using base score values if the environmental score values are null or NOT_DEFINED ("X") -> otherwise the environmental score is zero if not all fields are set
* Adds check for negative values in `CvssV3#roundNearestTenth`

Extracted from stevespringett#17

Aligns `CvssV3_1#calculateScore` with the calculator from first.org (https://www.first.org/cvss/calculator/cvsscalc31.js).

Aside from fixing the score calculation, it also streamlines the calculation logic by removing unnecessary nesting.

Co-authored-by: Michael Hinterdorfer <[email protected]>
@nscuro nscuro mentioned this pull request May 22, 2024
Merged
@sschuberth sschuberth mentioned this pull request Sep 8, 2024
Closed
@sschuberth
Copy link
Contributor

I'm confused, is there anything in here that's still useful and not included in #89?

@sschuberth
Copy link
Contributor

I'm confused, is there anything in here that's still useful and not included in #89?

@nscuro can this PR be closed as yours was already merged?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@roesslerj roesslerj roesslerj approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@michael-hinterdorfer @lounagen @sschuberth @roesslerj