redhatproductsecurity / cvss-v4-calculator Goto Github PK

When we asked to reorder the Base and Supplemental sections of the GUI, the vector string got inadvertently reordered as well. In all our docs, JSON, and regex, the official order of the CVSS vector string is:

AV/AC/AT/PR/UI/V[CIA]/S[CIA]/E/[CIA]R/MAV/MAC/MAT/MPR/MUI/MV[CIA]/MS[CIA]/S/AU/R/V/RE/U

(Base/Threat/Environmental/Supplemental)

Please keep the GUI arrangement as-is, but update the vector string generation order.

It would be a good idea to have another address which can be queried with a vector and just return a JSON with a result, maybe also copy of provided vector, something like:
https://redhatproductsecurity.github.io/cvss-v4-calculator/api/#CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N)

{
    "vector": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
    "score": 2.3,
    "severity": "low",
}

A small usability preference would be a "reset" button that resets the vectors back to the "on-load" state and clears out the vector from the url string.

Low priority.

We like that you show the macro vector when hovering the mouse over the score. As you know, each of the six digits in the macro vector correspond to each of the six equivalency sets. These six equivalency sets are really aggregate metrics with the names ‘exploitability’, ‘complexity’, ‘vulnerable system’, ‘subsequent system’, ‘exploitation’, and ‘security requirements’ respectively.

Would it be possible to show the value of each of these six metrics below the score? The value of the digits won’t be meaningful to people (especially since lower values are more severe). Thus, I’d map value 0 -> ‘High’, value 1 -> ‘Medium’, and value 2 -> ‘Low’. Note how I’m assuming you made the correction for equivalency set 3 per IMPROVEMENT 3 here. For example, I’m envisioning something like what I've typed below. We might ultimately want this to be displayed optionally (e.g., with a +/- sign toggle) but we can work on the best UI design later.

CVSS v4.0 Score 8.3 / High
Exploitability: High
Complexity: High
Vulnerable system: Medium
Subsequent system: Low
Exploitation: High
Security requirements: Medium

The calculator says ‘Base Score’ and then provides a score. However, CVSS no longer has separate base, temporal, and environmental scores. It should just say ‘CVSS v4.0 score’.

Below that you should have a title saying ‘Base Metrics’. And the ‘Threat Score’ title should be ‘Threat Metric’. And the ‘Environmental Score’ title should be ‘Environmental Metrics’.

Due to the issue where 0.1 + 0.2 !== 0.3 (but 0.30000000000000004) in JavaScript, it might cause unexpected result when the value is rounded to 1 decimal point with toFixed() at line 527 in app.js.

For example, with the following vector, the score before rounding with toFixed(1) is 0.35. The expected final score should be 0.4 but get 0.3 instead.

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

Just additional info, with this vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:P, the score before rounding is 8.95. The expected final score should be 9.0 (Critical) but get 8.9 (High) instead, will have a difference in severity rating.

Hello,

I apologize if this isn't the appropriate place for my question, but I'm trying to understand the scoring system in CVSS v4.0 more clearly.

From the documentation and resources I've seen so far, it appears that CVSS v4.0 produces a single score, with different nomenclatures like CVSS-BE, CVSS-BT, etc., depending on which metrics are used.

Could you clarify how these nomenclatures relate to the types of scores we had in CVSS 3.x?

In CVSS 3.x, we had multiple types of scores:

• Base
• Impact
• Exploitability
• Temporal
• Environmental
• Modified Impact
• Overall

But in CVSS v4.0, it seems like there's only one score, the meaning of which changes based on which parts of the vector are filled out. Could you please clarify this?

Or, some more detailed questions:

• is a CVSS-BE score analogous to what was previously considered an Environmental Score in CVSS 3.x?
• if I have a CVSS-BE score, can I omit the Environmental metrics to derive what would have been considered a Base Score in the previous version?

Thank you for your time and assistance.

When the env metrics are used to modify a base metric value, the score should be calculated as if the env metric is the value.

Note that the following scores, [1] and [2] should have the same output, but in fact [1] and [3] have the same output.

1. https://skontar.github.io/cvss-v4.0-calculator/#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/CR:H/IR:H/AR:H/MAV:P/MAC:H/MAT:P/MPR:H/MUI:A
2. https://skontar.github.io/cvss-v4.0-calculator/#CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/CR:H/IR:H/AR:H/MAV:P/MAC:H/MAT:P/MPR:H/MUI:A
3. https://skontar.github.io/cvss-v4.0-calculator/#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/CR:H/IR:H/AR:H

Perhaps something like this added to checkMetric(metric, value) for each modified env metric (except MSA and MSI, which are going to need to be special cases because of the way that MSA is the only place Safety can be selected)

Lines 124-126 makes sense, but I think it needs something more to account for the env inputs effected the computed score. Perhaps

if(metric[0] == "M") {
   if(selected == "X") {
                return value == this.selectedValues[metric.slice(1)]
            }
    else {
       metric.slice(1).value == selected
    }
}

Sorry, I don't speak javascript very well, but I hope this is intelligible to a human at least.

For MSA and MSI, it it may need to be checked separately, since "S" won't be a legal SA or SI value. Or the macrovector lookup can change to account for this.

I think the data structure in

is incorrect in its assumption that a macrovector value of 1 always means "Medium".

Macrovectors 1, 3, 4, and 5 can take on 3 values (0, 1, 2) so it makes sense that they would have "High, Medium, Low" mapped onto these.

However, Macrovectors 2 and 6 only have 2 values (0,1), which means the data structure referenced above will translate that in the UI to "High, Medium". This begs the question "What about Low?"

I would expect the above to be Low, Low, Low, Low, High, Low instead of Low, Medium, Low, Low, High, Medium.

It seems like the translation for Macrovectors 2 and 6 needs to use a different lookup table. Perhaps something like:

cvssMacroVectorValues2 = {
  "0": "High",
  "1": "Low",
  "2": "None",
}

The metric order is incorrect per spec.

A vector string must contain metrics in the order shown in Table 23, every other ordering is invalid.

Table 23: Base, Threat and Environmental Vectors

Let's take the following invalid vector: /AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N (missing CVSS v4.0 prefix).
Due to missing prefix check, the current implementation validate the previous example.

The fix is to check the vector string begins by CVSS:4.0.

Hello, according to the currently published specification section "Vector String" it is stated that "A vector string must not include the same metric more than once".

Nevertheless, after #1 you could provide the vector string from the URL as the previous FIRST calculators does (great feature btw 👍 ).
Using this, you could provide, for instance, the vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/AV:A with AV metric defined twice (head and tail) through the URL https://redhatproductsecurity.github.io/cvss-v4-calculator/#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/AV:A, which is then parsed and supposed valid.

Due to the current parsing the last time a metric is specified in input, the corresponding value is set. This could be considered part of CWE-20.

Such bug/compliance issue is common in CVSS implementations as I observed through many others, and you should consider ensuring each metric is defined at most once (maybe using a map by checking it has not been already processed).

Would it be possible to refactor this code so the CVSS V4 score function can be called as a JavaScript function without the dependency on Vue?

EQ3 was during development set to values 0,2, and 3. Corresponding vector lookup also used those values.
This now needs to change, so values are 0-2 and vector lookup matches.

While looking into the RedHat and FIRST implementations of CVSSV4 calculators we noticed a score discrepancy when certain metrics are selected.

Specifically CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Notice the RedHat score in this case is 5.9 and FIRST is 6.1
https://redhatproductsecurity.github.io/cvss-v4-calculator/#CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Is this expected behavior and/or should I bring it up to FIRST?

We've worked out the kinds for scoring so that the maximum base macro vector is a 10.0. Attached is a csv, but I will also make a pull request.

all_elem_base_score_median_consensus.csv

This may just be I don't know enough about setting up a Vue app and not really an issue. I also don't want to give unnecessary work for you. However, I cloned your code so I can run it locally so I can debug it using VS Code, however I'm running into issues trying to figure out how to implement this? I've not setup a github javascript app before, nor have I used Vue, so this could be something simple. However, it references Vue in the app.js file which throws this error when I used npm run ReferenceError: Vue is not defined from this line of code: const app = Vue.createApp({ ... in app.js. I was trying to set it up with Node.js and npm since I've used them in the past.

Also, there is a reference to the vue cnn in index.html:

I also don't see any node_modules, vue folders, nor a package.json. I assumed I had to build them and tried, but it didn't work. I'm not sure what is needed for this to run for my use case?

I didn't see anything in the license that would prevent me from doing this and I'm trying to understand CVSS more and the scoring for my job at work evaluating software. There really isn't any guide to setting this up and I didn't know if that was by design or just something not considered important, time wise.

I can open the HTML file in a browser so it runs that way, but I'm wanting to debug things line by line. Any ideas as to what I need to do and the steps for this to run in VS Code or something similar?

Any help or explanation would be appreciated.

This metric value set crashes the calculator:

https://skontar.github.io/cvss-v4.0-calculator/#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/CR:M/IR:H/AR:M/MVI:H/MSI:H/MSA:S

Here is another one:
https://skontar.github.io/cvss-v4.0-calculator/#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/CR:H/IR:M/AR:M/MVI:H/MSI:S/MSA:S

We will need a new element in the lookup table for 0.0. The problem is we also need a new macrovector for it.

Table look up something like

"..44..": {
    "base_score": "0.0",
    "qual_score": "None"
  }

Implementation question whether we actually cycle through all the options (004400, 004401, 004402, etc.) and map them all to 0.0, or do wild carding somehow.

This also requires a change to the macroVector() in index to generate the right 0.0 score, which is actually surprisingly annoying because all six impact metrics (VC, VI, VA, SC, SI, SA) have to have a value 'N', if it is just the first three, you don't want to generate a '4' for that macrovector because it will break the other scoring (so in general, 'N' 'N' 'N' should get mapped to '3' in the bitmask.

It's possible

else if(this.checkMetric("VC", "N")
                      && this.checkMetric("VI", "N")
                      && this.checkMetric("VA", "N")
                      && this.checkMetric("SC", "N")
                      && this.checkMetric("SI", "N")
                      && this.checkMetric("SA", "N")) {
                eq3 = 4

Would do it, with an equivalent branch for eq4.

As showed by #34 discussion, there is a new bug introduced by #35 due to the (non-)mandatory behavior not being implemented.

Very late in the discussion about Provider Urgency, it was pointed out that CVSS should follow the latest color-coding of TLP, which (among other things) renamed TLP:WHITE to TLP:CLEAR. The CVSS v4.0 calculator and spec should also reflect this change.

Please change references from "White" to "Clear" in the GUI and resultant metric string.

I'd like to be able to convey a specific CVSS v4.0 vector string using a tagged URL using the calculator. For example:

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:P/R:A/V:C/U:Red

Please consider supporting the ability to provide an argument to the URL, similar to:

https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Hello, according to the currently published specification Table 24, metrics could have a limited set of values as they are enumerated.

Nevertheless, after #1 you could provide the vector string from the URL as the previous FIRST calculators does (great feature btw 👍 ).
Using this, you could provide, for instance, the vector CVSS:4.0/AV:F/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N with AV metric having invalid value F through the URL https://redhatproductsecurity.github.io/cvss-v4-calculator/#CVSS:4.0/AV:F/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N, which is then parsed, supposed valid, and a score is computed : NaN (with rating Critical).

This could be considered part of CWE-20.

Such bug/compliance issue is common in CVSS implementations as I observed through many others, and you should consider ensuring each metric value is valid according to the specified enumerations (maybe by having a lookup table).