Aligning Variable Names with the JSON Format

[n3rada]

During the refactorisation, we were all talking about respecting or not the JSON format for variable names. Required ones are "version", "vectorString", "baseScore", "baseSeverity".

But I remember than @pandatix disagree with this notion.

And that why we are currently using more logical things such as score, equivalentClasses and so on.

The specification document talks about "Base Score":

This is just to initiate a conversation about this topic. I didn't see a "Discussions" tab in the repository, so I decided to open an issue instead. 😊

[pandatix]

I confirm this is an issue in the specification. No "base score" notion exist in CVSS v4, as the scoring takes the Base+Threat+Environmental metrics groups ;)

[n3rada]

Thanks. That was to be sure. Thus, if you have contacts with FIRST people, you may report this to them.

Because the specification should be updated in order to stay serious. This new CVSS is going to be used in really huge companies. 😊

You guys are really great people by the way.

[pandatix]

Poke @nickleali :)

[nickleali]

Yep thanks for bringing this to our attention. The FIRST CVSS SIG is aware of the inconsistencies in the CVSS v4.0 JSON schema and the documentation with regards to the nomenclature. We're tracking on updating the terminology in the schema and documentation.

The concern now is if we do an update between versions, we risk breaking functionality for 4.0. The plan is to include these updates with 4.1, but if you are looking at doing a refactor of the calculator with the new terminology, possibly we can have a draft of the schema early to share.

Let's continue to coordinate on this. I'll bring this item up at our next CVSS SIG meeting.

[n3rada]

There are multiple issues in FIRST website. The examples provided seem inconsistent and vulnerabilities are not well scored, according to discussions I've had with senior pentesters in daily life.

Concerning next 4.1, the refactor provides a clean class structure, making future changes much easier to integrate!

[nickleali]

If you identify any examples with inaccuracies, or any other issues in the FIRST CVSS site, please let me know at [email protected] and I'd be happy to address them. If there are examples that could be added to the examples document, you could request those as well for me to add in a future updates. Always looking to provide more details for the community.

[n3rada]

I will totally do that in next weeks. Thanks a lot.

[n3rada]

@nickleali , by the way, we sent an email to [email protected], do you know how long we should wait for an answer?

[nickleali]

Thanks @n3rada for your email, I have it (assuming it's "Proposal to revise CVSS v4.0 examples" and questions around subsequent system, CVE-2022-21830 and CVE-2022-24682).

We've been talking about these items recently and I can tell you I'm preparing to update the examples. I'll respond in more detail soon.