cvss-v4-calculator icon indicating copy to clipboard operation
cvss-v4-calculator copied to clipboard

Published 20 hours ago verified publisher icon RedHatProductSecurity

Macrovector=1 does not always mean "Medium"

Open ahouseholder opened this issue 9 months ago • 3 comments

I think the data structure in https://github.com/RedHatProductSecurity/cvss-v4-calculator/blob/5d7a90c66be1f0c1432f8c279e12e856943b7efb/cvss_details.js#L13-L18

is incorrect in its assumption that a macrovector value of 1 always means "Medium".

Macrovectors 1, 3, 4, and 5 can take on 3 values (0, 1, 2) so it makes sense that they would have "High, Medium, Low" mapped onto these.

However, Macrovectors 2 and 6 only have 2 values (0,1), which means the data structure referenced above will translate that in the UI to "High, Medium". This begs the question "What about Low?"

Screenshot 2023-10-05 at 9 22 22 AM

I would expect the above to be Low, Low, Low, Low, High, Low instead of Low, Medium, Low, Low, High, Medium.

It seems like the translation for Macrovectors 2 and 6 needs to use a different lookup table. Perhaps something like:

cvssMacroVectorValues2 = {
  "0": "High",
  "1": "Low",
  "2": "None",
}

ahouseholder avatar Oct 05 '23 13:10 ahouseholder