Fixed calculation of CVSSv2 Environmental score (issue #33)

goark · Feb 4, 2023 · b07fdce · b07fdce
1 parent 059836d
commit b07fdce
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 8 deletions.
diff --git a/v2/metric/base.go b/v2/metric/base.go
@@ -2,7 +2,6 @@ package metric
 
 import (
 	"fmt"
-	"math"
 	"strings"
 
 	"github.com/goark/errs"
@@ -182,7 +181,7 @@ func (m *Base) score(impact float64) float64 {
 	if impact == 0 {
 		fimpact = 0
 	}
-	return math.Round(((0.6*impact)+(0.4*exploitability)-1.5)*fimpact*10) / 10
+	return roundTo1Decimal(((0.6 * impact) + (0.4 * exploitability) - 1.5) * fimpact)
 }
 
 // GetSeverity returns severity by score of Base metrics

diff --git a/v2/metric/environmental.go b/v2/metric/environmental.go
@@ -183,7 +183,7 @@ func (m *Environmental) Score() float64 {
 	if m.IsEmpty() {
 		baseScore = m.Base.Score()
 	} else {
-		adjustedImpact := math.Min(10.0, 10.41*(1-(1-m.C.Value()*m.CR.Value())*(1-m.I.Value()*m.IR.Value())*(1-m.A.Value()*m.AR.Value())))
+		adjustedImpact := math.Min(10.0, roundTo1Decimal(10.41*(1-(1-m.C.Value()*m.CR.Value())*(1-m.I.Value()*m.IR.Value())*(1-m.A.Value()*m.AR.Value()))))
 		baseScore = m.Base.score(adjustedImpact)
 	}
 	var adjustedTemporal float64
@@ -195,7 +195,7 @@ func (m *Environmental) Score() float64 {
 	if m.IsEmpty() {
 		return adjustedTemporal
 	}
-	return math.Round((adjustedTemporal+(10-adjustedTemporal)*m.CDP.Value()*m.TD.Value())*10) / 10
+	return roundTo1Decimal(adjustedTemporal + (10-adjustedTemporal)*m.CDP.Value()*m.TD.Value())
 }
 
 // Severity returns severity by score of Environmental metrics

diff --git a/v2/metric/metric_test.go b/v2/metric/metric_test.go
@@ -241,6 +241,20 @@ func TestEnvEnvironmentalScore(t *testing.T) {
 			temp:   6.2,
 			env:    8.1,
 		},
+		{
+			name:   "issue-33",
+			vector: "AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:L/IR:ND/AR:ND",
+			base:   8.3,
+			temp:   8.3,
+			env:    9.0,
+		},
+		{
+			name:   "issue-33b",
+			vector: "AV:A/AC:L/Au:N/C:C/I:C/A:C/E:ND/RL:ND/RC:ND/CDP:H/TD:ND/CR:L/IR:ND/AR:ND",
+			base:   8.3,
+			temp:   8.3,
+			env:    9.0,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -255,10 +269,10 @@ func TestEnvEnvironmentalScore(t *testing.T) {
 					t.Errorf("Metrics.TemporalScore() = %v, want %v", got, tt.env)
 				}
 				if got := m.Score(); got != tt.env {
-					t.Errorf("Metrics.EnvironmentalScore() = %v, want %v", got, tt.temp)
+					t.Errorf("Metrics.EnvironmentalScore() = %v, want %v", got, tt.env)
 				}
 				if got := m.String(); tt.vector != got {
-					t.Errorf("Metrics.String() = %v, want %v", got, tt.temp)
+					t.Errorf("Metrics.String() = %v, want %v", got, tt.vector)
 				}
 			}
 

diff --git a/v2/metric/misc.go b/v2/metric/misc.go
@@ -0,0 +1,22 @@
+package metric
+
+import "math"
+
+func roundTo1Decimal(input float64) float64 {
+	return math.Round(input*10) / 10
+}
+
+/* Copyright 2023 Spiegel
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * 	http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
diff --git a/v2/metric/temporal.go b/v2/metric/temporal.go
@@ -2,7 +2,6 @@ package metric
 
 import (
 	"fmt"
-	"math"
 	"strings"
 
 	"github.com/goark/errs"
@@ -165,7 +164,7 @@ func (m *Temporal) Score() float64 {
 }
 
 func (m *Temporal) score(baseScore float64) float64 {
-	return math.Round(baseScore*m.E.Value()*m.RL.Value()*m.RC.Value()*10) / 10
+	return roundTo1Decimal(baseScore * m.E.Value() * m.RL.Value() * m.RC.Value())
 }
 
 // GetSeverity returns severity by score of Base metrics