-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Discrepancy on score with certain vectors when compared to FIRST calculator #53
Comments
This looks like a regression, my Go implem computes 6.1 too :/ EDIT: had an emergency to handle... |
Could be regression in #52 . |
Yep, it is there. |
@gscottwilson , can you please have look? |
Commit 266c4f6 gives 6.1. |
Looks like the unrounded score in this case is 5.941666666666666 so the redhat calculator is correctly rounding to 5.9 and the FIRST calculator as deployed is incorrect at 6.1 |
Unfortunately, rounding was not figured out yet by the SIG, so it is hard to tell which is right and which is wrong. However, I am unsure how 5.941666666666666 could incorrectly be rounded to 6.1, I would expect 6.0? Anyway, I have a colleague who may have some time to tackle rounding issues for good somewhat soon™. |
Sounds good. Thanks for the heads up |
Had a chance to dive deeper on this and discovered it is indeed a regression due to my refactor. Apologies for the confusion introduced. |
While looking into the RedHat and FIRST implementations of CVSSV4 calculators we noticed a score discrepancy when certain metrics are selected.
Specifically CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
Notice the RedHat score in this case is 5.9 and FIRST is 6.1
https://redhatproductsecurity.github.io/cvss-v4-calculator/#CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
Is this expected behavior and/or should I bring it up to FIRST?
The text was updated successfully, but these errors were encountered: