Invalid CVSS v2 environmental score computation

[pandatix]

During differential fuzzing with github.com/pandatix/go-cvss I discovered that your implementation does not properly computes CVSS v2 environmental scores (as for #18).

For instance, the vector AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:L/IR:ND/AR:ND have an environmental score of 9.0, according to the NVD CVSS v2 calculator. Nevertheless, the following Go code illustrates this issue i.e. invalid scores.

package main

import (
	"fmt"
	"log"

	"github.com/goark/go-cvss/v2/metric"
)

func main() {
	raw := "AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:L/IR:ND/AR:ND"
	vec, err := metric.NewEnvironmental().Decode(raw)
	if err != nil {
		log.Fatal(err)
	}

	b, t, e := vec.Base.Score(), vec.Temporal.Score(), vec.Score()
	fmt.Printf("Scores: %.1f;%.1f;%.1f\n", b, t, e)
}

produces ->

Scores: 8.3;8.3;9.1

[spiegel-im-spiegel]

Release v1.6.4.

[pandatix]

It was not fixed properly, as the vector AV:L/AC:M/Au:S/C:N/I:N/A:P/CDP:N/TD:ND/CR:M/IR:ND/AR:ND now produces an environmental score of 1.6 despite it effectively being 1.5.

[spiegel-im-spiegel]

Hmmm... Released v1.6.5. Is it OK?

[pandatix]

Now, the vector AV:A/AC:M/Au:S/C:C/I:C/A:C/CDP:N/TD:N/CR:M/IR:ND/AR:L returns an environmental score of 7.1 but should be 0.0.

[spiegel-im-spiegel]

Sorry! Released v1.6.6.

[spiegel-im-spiegel]

Thank you for many advices.

[pandatix]

Sorry, I still have some issues to raise about this, but I first need to fix the NVD due to the same issue :')

[pandatix]

Hi, sorry for the looong wait, seems like they won't fix it... So here is the issue !

Let's take again the CVSS v2 vector "AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:L/IR:ND/AR:ND" with Base and Environmental groups defined.
If we strictly apply the specified formulas section 3.2.3 for the adjusted impact, we end up with 9.60372468.
I didn't deeply checked where the issue occurs in your implementation, but for instance in the NVD implementation it occurs when computing the adjusted temporal. With formulas you have round_to_1_decimal(((0.6*9.60372468)+(0.4*6.4579328)-1.5)*1.176) = round_to_1_decimal(8.050199723328) = 8.1, when your implementation returns 8.0.
Maybe, due to this rounding edge case, you return an environmental score of 9.0 rather than 9.1 (would be worth to check this first).

[spiegel-im-spiegel]

🤔 ...

[pandatix]

Hey, any news on fixing it ?
It may be nice to get it before we release CVSS v4.0 thus your implementation could be used without this rounding issue :)

[spiegel-im-spiegel]

sorry.
I'm too busy with my day job to fix go-cvss.
There are no specific plans for CVSSv4 either.

[pandatix]

Oh, I'm sorry to hear that. If you think this is appropriate maybe archive the project to let it available while read-only. Hope you do well