Discrepancy on score with certain vectors when compared to FIRST calculator #53
Comments
|
This looks like a regression, my Go implem computes 6.1 too :/ EDIT: had an emergency to handle... |
|
Could be regression in #52 . |
|
Yep, it is there. |
|
@gscottwilson , can you please have look? |
|
Commit 266c4f6 gives 6.1. |
|
Looks like the unrounded score in this case is 5.941666666666666 so the redhat calculator is correctly rounding to 5.9 and the FIRST calculator as deployed is incorrect at 6.1 |
|
Unfortunately, rounding was not figured out yet by the SIG, so it is hard to tell which is right and which is wrong. However, I am unsure how 5.941666666666666 could incorrectly be rounded to 6.1, I would expect 6.0? Anyway, I have a colleague who may have some time to tackle rounding issues for good somewhat soon™. |
|
Sounds good. Thanks for the heads up |
|
Had a chance to dive deeper on this and discovered it is indeed a regression due to my refactor. Apologies for the confusion introduced. |
While looking into the RedHat and FIRST implementations of CVSSV4 calculators we noticed a score discrepancy when certain metrics are selected.
Specifically CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
Notice the RedHat score in this case is 5.9 and FIRST is 6.1
https://redhatproductsecurity.github.io/cvss-v4-calculator/#CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
Is this expected behavior and/or should I bring it up to FIRST?
The text was updated successfully, but these errors were encountered: