Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Aligning Variable Names with the JSON Format #63

Open
n3rada opened this issue Sep 6, 2024 · 7 comments
Open

Aligning Variable Names with the JSON Format #63

n3rada opened this issue Sep 6, 2024 · 7 comments
Labels
investigation We need to discuss first

Comments

@n3rada
Copy link
Contributor

n3rada commented Sep 6, 2024

During the refactorisation, we were all talking about respecting or not the JSON format for variable names. Required ones are "version", "vectorString", "baseScore", "baseSeverity".

But I remember than @pandatix disagree with this notion.
image
And that why we are currently using more logical things such as score, equivalentClasses and so on.

The specification document talks about "Base Score":
image

This is just to initiate a conversation about this topic. I didn't see a "Discussions" tab in the repository, so I decided to open an issue instead. 😊
@pandatix
Copy link
Contributor

pandatix commented Sep 6, 2024

I confirm this is an issue in the specification. No "base score" notion exist in CVSS v4, as the scoring takes the Base+Threat+Environmental metrics groups ;)

@skontar skontar added the investigation We need to discuss first label Sep 6, 2024
@n3rada
Copy link
Contributor Author

n3rada commented Sep 6, 2024

Thanks. That was to be sure. Thus, if you have contacts with FIRST people, you may report this to them.

Because the specification should be updated in order to stay serious. This new CVSS is going to be used in really huge companies. 😊

You guys are really great people by the way.

@pandatix
Copy link
Contributor

pandatix commented Sep 6, 2024

Poke @nickleali :)

@nickleali
Copy link

Yep thanks for bringing this to our attention. The FIRST CVSS SIG is aware of the inconsistencies in the CVSS v4.0 JSON schema and the documentation with regards to the nomenclature. We're tracking on updating the terminology in the schema and documentation.

The concern now is if we do an update between versions, we risk breaking functionality for 4.0. The plan is to include these updates with 4.1, but if you are looking at doing a refactor of the calculator with the new terminology, possibly we can have a draft of the schema early to share.

Let's continue to coordinate on this. I'll bring this item up at our next CVSS SIG meeting.

@n3rada
Copy link
Contributor Author

n3rada commented Sep 6, 2024

There are multiple issues in FIRST website. The examples provided seem inconsistent and vulnerabilities are not well scored, according to discussions I've had with senior pentesters in daily life.

Concerning next 4.1, the refactor provides a clean class structure, making future changes much easier to integrate!

@superbuggy superbuggy mentioned this issue Sep 6, 2024
Closed
@nickleali
Copy link

If you identify any examples with inaccuracies, or any other issues in the FIRST CVSS site, please let me know at cvss@first.org and I'd be happy to address them. If there are examples that could be added to the examples document, you could request those as well for me to add in a future updates. Always looking to provide more details for the community.

@n3rada
Copy link
Contributor Author

n3rada commented Sep 6, 2024
edited
Loading

I will totally do that in next weeks. Thanks a lot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
investigation We need to discuss first
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@skontar @pandatix @n3rada @nickleali