I've ran Cvss.parse(..) against a couple of vectors, e.g. "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H".
The implementation matches it as 3.0 string, so Cvss.parse(..).toVector() return vectors of the form "CVSS:3.1/*".

Hello,

If a vector string did not set metric values in Temporal or Environmental metric groups, the resulting score is "-1.0".

String vectorWithMissingTemporal = "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L/E:F";
Cvss cvss = Cvss.fromVector(vectorWithMissingTemporal);
Score score = cvss.calculateScore();
System.out.println(score.getBaseScore()); // 7.6
System.out.println(score.getTemporalScore()); // -1.0 (should be 7.4)
System.out.println(score.getEnvironmentalScore()); // -1.0 (should be 7.4)

Reference:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L/E:F

Let's start by saying that if any of my assumptions is wrong this issue is not relevant.

As far as I know CVSS vectors of version 3.0 and 3.1 are identical at least in the definition of the vector. However the library is splitting them based on the lack of environmental metrics in the vector. If I'm not wrong a CVSS 3.0 could have environmental metrics or a CVSS 3.1 vector could have only the base vector.

The effect in the library is that if we try to serialize the vector we will get a definition that starts with CVSS:3.0 or CVSS:3.1 depending on the environmental metrics which I think is wrong. Wouldn't it be more natural to have:

• A single CVSS3 class
• That keeps the original specification and dumps it in getVector() method accordingly
• That runs one algorithm or the other in calculateScore() depending on the presence or not of the environmental metrics

If it make sense I could even try to create a PR based on that if needed

Hi,
Are you planning to support cvss v4.0.
If so, what is the estimated time for the support?

Best,
Tom

Hi @stevespringett

I have come across an issue with the CVSS vector: CVSS:3.1/AC:H/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N (fetched from the CVEProject and hence not under my control).
Parsing it results in a null result from Cvss.fromVector as the V3_PATTERN doesn't match the - admittely rather unusual - order of this vector string.
FIRST's CVSS schema is more relaxed here and sees this order as valid.
From what I can see in the code, this would affect all vector strings that are not in the "usual" order.

Hello,

The official CVSS v3.0 specification includes Environmental metric group, while the library does not support that.

Example code:

String vectorWithEnvMetric = "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L/E:U/RL:O/RC:R/CR:L/IR:M/AR:M/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:N/MI:N/MA:N";
Cvss cvss = Cvss.fromVector(vectorWithEnvMetric);
Score score = cvss.calculateScore();
System.out.println(score.getEnvironmentalScore()); // 0.0 (should be 5.8)

Reference:
https://www.first.org/cvss/v3.0/specification-document#Environmental-Metrics

Expected result using the official CVSS calculator:
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L/E:U/RL:O/RC:R/CR:L/IR:M/AR:M/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:L/MI:L/MA:L