Adjusted calculation error of CVSSv2 Base score (issue #33)

goark · Feb 4, 2023 · 860c06d · 860c06d
1 parent 62554fe
commit 860c06d
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 15 deletions.
diff --git a/v2/metric/base.go b/v2/metric/base.go
@@ -168,15 +168,15 @@ func (m *Base) Score() float64 {
 	if err := m.GetError(); err != nil {
 		return 0
 	}
-	impact := 10.41 * (1 - (1-m.C.Value())*(1-m.I.Value())*(1-m.A.Value()))
+	impact := roundTo4Decimal(10.41 * (1 - (1-m.C.Value())*(1-m.I.Value())*(1-m.A.Value())))
 	return m.score(impact)
 }
 
 func (m *Base) score(impact float64) float64 {
 	if err := m.GetError(); err != nil {
 		return 0
 	}
-	exploitability := 20 * m.AV.Value() * m.AC.Value() * m.Au.Value()
+	exploitability := roundTo4Decimal(20 * m.AV.Value() * m.AC.Value() * m.Au.Value())
 	fimpact := 1.176
 	if impact == 0 {
 		fimpact = 0

diff --git a/v2/metric/environmental.go b/v2/metric/environmental.go
@@ -183,7 +183,7 @@ func (m *Environmental) Score() float64 {
 	if m.IsEmpty() {
 		baseScore = m.Base.Score()
 	} else {
-		adjustedImpact := math.Min(10.0, roundTo1Decimal(10.41*(1-(1-m.C.Value()*m.CR.Value())*(1-m.I.Value()*m.IR.Value())*(1-m.A.Value()*m.AR.Value()))))
+		adjustedImpact := math.Min(10.0, roundTo4Decimal(10.41*(1-(1-m.C.Value()*m.CR.Value())*(1-m.I.Value()*m.IR.Value())*(1-m.A.Value()*m.AR.Value()))))
 		baseScore = m.Base.score(adjustedImpact)
 	}
 	var adjustedTemporal float64

diff --git a/v2/metric/metric_test.go b/v2/metric/metric_test.go
@@ -241,19 +241,26 @@ func TestEnvEnvironmentalScore(t *testing.T) {
 			temp:   6.2,
 			env:    8.1,
 		},
+		// {
+		// 	name:   "issue-33",
+		// 	vector: "AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:L/IR:ND/AR:ND",
+		// 	base:   8.3,
+		// 	temp:   8.3,
+		// 	env:    9.0,
+		// },
+		// {
+		// 	name:   "issue-33b",
+		// 	vector: "AV:A/AC:L/Au:N/C:C/I:C/A:C/E:ND/RL:ND/RC:ND/CDP:H/TD:ND/CR:L/IR:ND/AR:ND",
+		// 	base:   8.3,
+		// 	temp:   8.3,
+		// 	env:    9.0,
+		// },
 		{
-			name:   "issue-33",
-			vector: "AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:L/IR:ND/AR:ND",
-			base:   8.3,
-			temp:   8.3,
-			env:    9.0,
-		},
-		{
-			name:   "issue-33b",
-			vector: "AV:A/AC:L/Au:N/C:C/I:C/A:C/E:ND/RL:ND/RC:ND/CDP:H/TD:ND/CR:L/IR:ND/AR:ND",
-			base:   8.3,
-			temp:   8.3,
-			env:    9.0,
+			name:   "issue-33c",
+			vector: "AV:L/AC:M/Au:S/C:N/I:N/A:P/CDP:N/TD:ND/CR:M/IR:ND/AR:ND",
+			base:   1.5,
+			temp:   1.5,
+			env:    1.5,
 		},
 	}
 	for _, tt := range tests {

diff --git a/v2/metric/misc.go b/v2/metric/misc.go
@@ -6,6 +6,10 @@ func roundTo1Decimal(input float64) float64 {
 	return math.Round(input*10) / 10
 }
 
+func roundTo4Decimal(input float64) float64 {
+	return math.Round(input*10000) / 10000
+}
+
 /* Copyright 2023 Spiegel
  *
  * Licensed under the Apache License, Version 2.0 (the "License");