This repository was archived by the owner on Sep 2, 2023. It is now read-only.
This repository was archived by the owner on Sep 2, 2023. It is now read-only.
Invalid CVSS v2 environmental score computation #3
Description
During differential fuzzing with github.com/pandatix/go-cvss I discovered that your implementation does not properly computes the environmental score, and more precisely returns 0 when no environmental variable is set different to ND (Not Defined).
In order to be compliant with the first.org specification Section 3.2.3, you must compute the environmental score given your metric values.
The following Go code illustrates this issue.
package main
import (
"fmt"
"log"
cvss "github.com/attwad/gocvss"
)
func main() {
raw := "AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C"
vec, err := cvss.Parse(raw)
if err != nil {
log.Fatal(err)
}
s := vec.Score()
b, t, e := s.Base, s.Temporal, s.Environmental
fmt.Printf("Scores: %.1f;%.1f;%.1f\n", b, t, e)
}produces ->
Scores: 10.0;8.3;0.0