From b07fdce235e316f2a2199a032bbf6e2b15918d02 Mon Sep 17 00:00:00 2001 From: Spiegel Date: Sat, 4 Feb 2023 10:37:56 +0900 Subject: [PATCH] Fixed calculation of CVSSv2 Environmental score (issue #33) --- v2/metric/base.go | 3 +-- v2/metric/environmental.go | 4 ++-- v2/metric/metric_test.go | 18 ++++++++++++++++-- v2/metric/misc.go | 22 ++++++++++++++++++++++ v2/metric/temporal.go | 3 +-- 5 files changed, 42 insertions(+), 8 deletions(-) create mode 100644 v2/metric/misc.go diff --git a/v2/metric/base.go b/v2/metric/base.go index 43e9556..641b375 100644 --- a/v2/metric/base.go +++ b/v2/metric/base.go @@ -2,7 +2,6 @@ package metric import ( "fmt" - "math" "strings" "github.com/goark/errs" @@ -182,7 +181,7 @@ func (m *Base) score(impact float64) float64 { if impact == 0 { fimpact = 0 } - return math.Round(((0.6*impact)+(0.4*exploitability)-1.5)*fimpact*10) / 10 + return roundTo1Decimal(((0.6 * impact) + (0.4 * exploitability) - 1.5) * fimpact) } // GetSeverity returns severity by score of Base metrics diff --git a/v2/metric/environmental.go b/v2/metric/environmental.go index 810d699..007051f 100644 --- a/v2/metric/environmental.go +++ b/v2/metric/environmental.go @@ -183,7 +183,7 @@ func (m *Environmental) Score() float64 { if m.IsEmpty() { baseScore = m.Base.Score() } else { - adjustedImpact := math.Min(10.0, 10.41*(1-(1-m.C.Value()*m.CR.Value())*(1-m.I.Value()*m.IR.Value())*(1-m.A.Value()*m.AR.Value()))) + adjustedImpact := math.Min(10.0, roundTo1Decimal(10.41*(1-(1-m.C.Value()*m.CR.Value())*(1-m.I.Value()*m.IR.Value())*(1-m.A.Value()*m.AR.Value())))) baseScore = m.Base.score(adjustedImpact) } var adjustedTemporal float64 @@ -195,7 +195,7 @@ func (m *Environmental) Score() float64 { if m.IsEmpty() { return adjustedTemporal } - return math.Round((adjustedTemporal+(10-adjustedTemporal)*m.CDP.Value()*m.TD.Value())*10) / 10 + return roundTo1Decimal(adjustedTemporal + (10-adjustedTemporal)*m.CDP.Value()*m.TD.Value()) } // Severity returns severity by score of Environmental metrics diff --git a/v2/metric/metric_test.go b/v2/metric/metric_test.go index 0959daf..5a98d81 100644 --- a/v2/metric/metric_test.go +++ b/v2/metric/metric_test.go @@ -241,6 +241,20 @@ func TestEnvEnvironmentalScore(t *testing.T) { temp: 6.2, env: 8.1, }, + { + name: "issue-33", + vector: "AV:A/AC:L/Au:N/C:C/I:C/A:C/CDP:H/TD:H/CR:L/IR:ND/AR:ND", + base: 8.3, + temp: 8.3, + env: 9.0, + }, + { + name: "issue-33b", + vector: "AV:A/AC:L/Au:N/C:C/I:C/A:C/E:ND/RL:ND/RC:ND/CDP:H/TD:ND/CR:L/IR:ND/AR:ND", + base: 8.3, + temp: 8.3, + env: 9.0, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { @@ -255,10 +269,10 @@ func TestEnvEnvironmentalScore(t *testing.T) { t.Errorf("Metrics.TemporalScore() = %v, want %v", got, tt.env) } if got := m.Score(); got != tt.env { - t.Errorf("Metrics.EnvironmentalScore() = %v, want %v", got, tt.temp) + t.Errorf("Metrics.EnvironmentalScore() = %v, want %v", got, tt.env) } if got := m.String(); tt.vector != got { - t.Errorf("Metrics.String() = %v, want %v", got, tt.temp) + t.Errorf("Metrics.String() = %v, want %v", got, tt.vector) } } diff --git a/v2/metric/misc.go b/v2/metric/misc.go new file mode 100644 index 0000000..ea60eef --- /dev/null +++ b/v2/metric/misc.go @@ -0,0 +1,22 @@ +package metric + +import "math" + +func roundTo1Decimal(input float64) float64 { + return math.Round(input*10) / 10 +} + +/* Copyright 2023 Spiegel + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ diff --git a/v2/metric/temporal.go b/v2/metric/temporal.go index 028423c..d3adb46 100644 --- a/v2/metric/temporal.go +++ b/v2/metric/temporal.go @@ -2,7 +2,6 @@ package metric import ( "fmt" - "math" "strings" "github.com/goark/errs" @@ -165,7 +164,7 @@ func (m *Temporal) Score() float64 { } func (m *Temporal) score(baseScore float64) float64 { - return math.Round(baseScore*m.E.Value()*m.RL.Value()*m.RC.Value()*10) / 10 + return roundTo1Decimal(baseScore * m.E.Value() * m.RL.Value() * m.RC.Value()) } // GetSeverity returns severity by score of Base metrics