CVSS v3 base metrics are order-dependent

Question

CVSS v3 base metrics are order-dependent

Brcrwilliams opened this issue 2 years ago · 1 comments

Subject of the issue

The CVSS v3.1 and CVSS v3.0 specifications state the following:

Programs reading CVSS v3.[1,0] vector strings must accept metrics in any order

However, when re-ordering the base metrics in a v3.1 or v3.0 vector string,
cvss-suite considers the vector to be invalid.

Your environment

version of cvss-suite gem: 3.0.1
version of ruby: ruby 2.7.5p203 (2021-11-24 revision f69aeb8314) [arm64-darwin21]

Steps to reproduce

Run this program:

require 'cvss_suite'

puts CvssSuite.new("CVSS:3.1/A:L/I:L/C:N/S:C/AV:N/UI:N/PR:L/AC:H").valid?
puts CvssSuite.new("CVSS:3.0/A:L/I:L/C:N/S:C/AV:N/UI:N/PR:L/AC:H").valid?

Expected behaviour

The program should output:

true
true

Actual behaviour

The program ouputs:

false
false

Answer 1 · 2022-09-15T17:57:55.000Z

@Brcrwilliams thanks for pointing it out, never noticed it. 👍 Will update the gem as soon as I find time (either in the next days or in about two weeks after my vacation).