Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cvss: bugs, tests #1386

Merged
merged 3 commits into from
Dec 23, 2024
Merged

cvss: bugs, tests #1386

merged 3 commits into from
Dec 23, 2024

Conversation

hdonnay
Copy link
Member

@hdonnay hdonnay commented Aug 20, 2024
edited
Loading

This fixes some bugs and moves the test fixtures to external files (something that was bugging me).

Closes: #1382

@hdonnay hdonnay requested a review from a team as a code owner August 20, 2024 16:25
@hdonnay hdonnay requested review from crozzy and removed request for a team August 20, 2024 16:25
@hdonnay hdonnay changed the title cvss: bugs tests cvss: bugs, tests Aug 20, 2024
@codecov Codecov
Copy link

codecov bot commented Aug 20, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 55.30%. Comparing base (4011b96) to head (0ec0489).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1386      +/-   ##
==========================================
- Coverage   55.37%   55.30%   -0.07%     
==========================================
  Files         282      282              
  Lines       17836    17836              
==========================================
- Hits         9876     9864      -12     
- Misses       6927     6934       +7     
- Partials     1033     1038       +5

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@hdonnay hdonnay force-pushed the hack/cvss_bugs-tests branch 2 times, most recently from ff5b394 to 0ec0489 Compare August 27, 2024 22:11
@RTann RTann self-requested a review August 27, 2024 22:14
RTann
RTann reviewed Aug 27, 2024
View reviewed changes
toolkit/types/cvss/cvss_v2_parse.rl
Comment on lines +57 to +58
temporal = e "/" rl "/" rc;
environmental = cdp "/" td "/" cr "/" ir "/" ar;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not as familiar with these. Let's say E is set. Does that mean RL and RC both must also be set?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think so, yes. The v2 spec is (IMO) unclear on this, but seems to say that if you use a metric group, all the metrics must be filled out.

toolkit/types/cvss/cvss_v4.go
@@ -62,7 +62,7 @@ func (v *V4) getString(m V4Metric) (string, error) {
// GetScore implements [Vector].
func (v *V4) getScore(m V4Metric) byte {
b := v.mv[int(m)]
if m >= V4ExploitMaturity && b == 0 {
if m >= V4ExploitMaturity && (b == 0 /* not present */ || b == 'X' /* not defined */) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you able to show me where in the spec it says this? The 4.0 spec does not seem to show me a nice formula that v3.1 had

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where it says what? That these have specific defaults? That's documented under the relevant tables in the v4 scoring section.

@hdonnay hdonnay force-pushed the hack/cvss_bugs-tests branch from 0ec0489 to c8eca51 Compare December 17, 2024 19:18
crozzy
crozzy approved these changes Dec 17, 2024
View reviewed changes
Copy link
Contributor

@crozzy crozzy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my ragel understanding is a WIP but I think the changes make sense

@hdonnay
cvss: v2: fix ordering
03fe8c0 
The previous version was too permissive with allowed orderings. Per
spec:

> The vector lists these metrics in a predetermined order, using the "/"
> (slash) character to separate the metrics.

Signed-off-by: Hank Donnay <[email protected]>
@hdonnay
cvss: v4: tolerate abnormal vectors in scoring
abd7b89 
Signed-off-by: Hank Donnay <[email protected]>
@hdonnay
cvss: switch tests to external fixtures
303884f 
Putting all the fixtures into separate files makes adding new cases just
an `echo` instead of editing go source.

Signed-off-by: Hank Donnay <[email protected]>
@hdonnay hdonnay force-pushed the hack/cvss_bugs-tests branch from c8eca51 to 303884f Compare December 23, 2024 14:55
@hdonnay
Copy link
Member Author

hdonnay commented Dec 23, 2024

/fast-forward

@github-actions github-actions bot merged commit 303884f into quay:main Dec 23, 2024
6 checks passed
@hdonnay hdonnay deleted the hack/cvss_bugs-tests branch December 23, 2024 15:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@RTann RTann RTann left review comments

@crozzy crozzy crozzy approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Invalid CVSS v2 and v4 implementations
3 participants
@hdonnay @crozzy @RTann