CVSS Vector that has missing fields is accepted as valid
Closed this issue · 1 comments
Subject of the issue
We are updating the gem version from 1.2.3 to 3.2.1 . In version 1.2.3 a CvssSuite created from a vector like this:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/
would return false when called valid? on it, since it lacks the RC part. But with the new version, the RC part is set to X by default, and valid? returns true.
Your environment
- version of cvss-suite gem: 3.2.1
- version of ruby: 3.2.2
Steps to reproduce
cvss = CvssSuite.new('CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/')
cvss.valid? ==> returns true
Expected behaviour
It should return false
Actual behaviour
It returns true
Hello @atalayozmen,
yes this behavior was changed in 3.1.0. But actually it wasn't correct before, but is now correct. A missing attribute which is optional is set to X. Take a look at the official cvss 3.1 calculator, it will also correctly calculate the score for your vector.
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N/E:U/RL:O
From the official specification:
Temporal and Environmental metrics are optional, and omitted metrics are considered to have the value of Not Defined (X).
Will close this issue.