-
Notifications
You must be signed in to change notification settings - Fork 79
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cvss: add package for dealing with CVSS scores #1143
Conversation
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #1143 +/- ##
==========================================
+ Coverage 53.33% 54.31% +0.97%
==========================================
Files 224 231 +7
Lines 17166 17934 +768
==========================================
+ Hits 9156 9741 +585
- Misses 7170 7319 +149
- Partials 840 874 +34 ☔ View full report in Codecov by Sentry. |
#1144 came in shortly after I sent this. Here's the criticism of the quick-n-dirty CVSS support in the
In my defence for the last one, there's no specified qualitative mapping for v2 so I felt OK getting in the ballpark. @pandatix If I can harass you over here, I'm unclear on how/if the v3/v4 environmental scores are combined with the base scores. Are the base metrics just ignored if the environmental metrics are present? |
I think this implementation is going to be generous with metric order on ingesting, seeing as the v4 spec is self-contradictory on this point. |
Hey, no problem, if I can help you :) Yes the idea of an Environmental metric that finds its equivalent in the Base metrics group (for instance Attack Vector / AV and Modified Attack Vector / MAV), if the Modified is not specified in a vector string representation or if it is set to Undefined / X and its Base equivalent value is used for further calculations. If not, it is the value of the Base equivalent that is used. So if MAV != X, take MAV, else take AV 🎉 |
Great, that makes sense. 👍 |
a5550e2
to
f62b5ae
Compare
Going to make the decision to allow invalid orderings for vector parsing. Not doing this would mean not being able to implement v4 to spec while using the published examples. I also think the erratum that makes the spec internally consistent will have to allow for parsing in both the currently specified order and the examples order. |
Hey, did you saw an invalid-ordered vector in the specification/examples/guide ? We won't come back on our decision of fixing the CVSS v4 metric order as it is justified by the fact that an unfixed ordering would not enable providing a valid regular expression for use (for front-end/back-end validation, as achieved in the CVE Schema). If you try you will end up with n! combinations and with 32 metrics the regular expression would be terrabytes long. |
9baae7c
to
49da0a5
Compare
Yeah, as I pointed out on RedHatProductSecurity/cvss-v4-calculator#44, all the examples are invalid and the calculator is implemented with the invalid order. I think having the order specified is the correct choice, but unless all the examples are changed and all existing implementations are changed, any real implementation is going to need to accept both the specified order ( Given that this package isn't meant for validation and only emits valid vectors, I think being liberal in accepted input is fine. |
85f5694
to
354cfde
Compare
The RedHat calculator is the official calculator, and you can easily check that here. As I already answered on your issue, the ordering problem lies in the specification and will be fixed soon. The examples in the CVSS v4.0 Examples are valid, so could you please highlight why you don't think so ? I don't recommend validating invalid vectors i.e. the ones that does not fully comply with the CVSS v4.0 specification (Section 7 requires you to not do it too) as it may propagate invalid values through the supply-chain, mostly for safety reasons, and for compliance sake. EDIT:
The RedHat official calculator is a direct implementation of the specification, this comment is completely invalid and misleading to the developers who will read this code. EDIT 2: I put this proposal implementation under the differential fuzzing of github.com/pandatix/go-cvss/differential and found multiple issues/vulnerabilities:
Implementing CVSS is not as easy as it looks like, even with all the efforts we put into it 😉 |
I see there's a new revision of the spec, so I've updated the code. I think it's pretty impolite to describe implementing the specification as written as "implementing the standard so poorly." I stand by my comment about the javascript implementation, as the weights and specific ordering of "subvectors" can only be read out of the javascript implementation; they're not in the specification proper. Getting the same "highest-score" vector requires looking at the javascript implementation because it's not specified at all. I don't understand what you're saying about "upward provider pollution." We're always consuming data from vendors so if they're adding additional metrics, we want to make use of them. |
10e5139
to
87d58ed
Compare
5918e50
to
b1b6bf6
Compare
This adds a package for handling CVSS versions 2, 3.0, 3.1, and 4. The envisioned used-case is for calculating scores and canonicalizing vector strings. Signed-off-by: Hank Donnay <hdonnay@redhat.com>
/fast-forward |
This adds a package for handling CVSS versions 2, 3.0, 3.1, and 4. The envisioned used-case is for calculating scores and canonicalizing vector strings.