RVSS returns wrong score when Scope is set to Changed and Safety to Human

[roizpi]

After testing different RVSS values with Scope value set to Changed (S:C) and Safety set to Human (H:H). When mixing different values of Confidentiality, Integrity and Availability, all the RVSS Groups
are scoring 0.
If either Scope or Safety values are set differently, it returns the correct values.

Here are some examples to reproduce the issue:

$ rvss RVSS:1.0/AV:L/AC:L/PR:N/UI:R/Y:T/S:C/C:L/I:L/A:H/H:H
Base Score:	0.0
Temporal:	0.0
Environment:	0.0

$ rvss RVSS:1.0/AV:L/AC:L/PR:N/UI:R/Y:T/S:C/C:H/I:N/A:H/H:H
Base Score:	0.0
Temporal:	0.0
Environment:	0.0

Output when only changing Integrity to any value, and S:C H:H are set.

$ rvss RVSS:1.0/AV:PI/AC:L/PR:N/UI:R/Y:T/S:C/C:H/I:N/A:H/H:H
Base Score:	0.0
Temporal:	0.0
Environment:	0.0

$ rvss RVSS:1.0/AV:PI/AC:L/PR:N/UI:R/Y:T/S:C/C:H/I:L/A:H/H:H
Base Score:	0.0
Temporal:	0.0
Environment:	0.0

$ rvss RVSS:1.0/AV:PI/AC:L/PR:N/UI:R/Y:T/S:C/C:H/I:H/A:H/H:H
Base Score:	0.0
Temporal:	0.0
Environment:	0.0

If at least two Impact subgroup values are set to None, the results seems correct

$ rvss RVSS:1.0/AV:L/AC:L/PR:H/UI:R/Y:T/S:C/C:L/I:N/A:N/H:H                                                                
Base Score:	6.5
Temporal:	6.5
Environment:	6.5

[vmayoral]

@roizpi, not sure with which version you're working with. Maybe not the last one?

Find below my outputs:

victor at Victors-MacBook in ~/cvsslib on master*
$ rvss RVSS:1.0/AV:L/AC:L/PR:N/UI:R/Y:T/S:C/C:L/I:L/A:H/H:H
Base Score:	8.6
Temporal:	8.6
Environment:	8.6
victor at Victors-MacBook in ~/cvsslib on master*
$ rvss RVSS:1.0/AV:L/AC:L/PR:N/UI:R/Y:T/S:C/C:H/I:N/A:H/H:H
Base Score:	8.6
Temporal:	8.6
Environment:	8.6
victor at Victors-MacBook in ~/cvsslib on master*
$ rvss RVSS:1.0/AV:PI/AC:L/PR:N/UI:R/Y:T/S:C/C:H/I:N/A:H/H:H
Base Score:	7.0
Temporal:	7.0
Environment:	7.0
victor at Victors-MacBook in ~/cvsslib on master*
$  rvss RVSS:1.0/AV:PI/AC:L/PR:N/UI:R/Y:T/S:C/C:H/I:L/A:H/H:H
Base Score:	7.0
Temporal:	7.0
Environment:	7.0
victor at Victors-MacBook in ~/cvsslib on master*
$ rvss RVSS:1.0/AV:PI/AC:L/PR:N/UI:R/Y:T/S:C/C:H/I:H/A:H/H:H
Base Score:	7.0
Temporal:	7.0
Environment:	7.0
victor at Victors-MacBook in ~/cvsslib on master*
$ rvss RVSS:1.0/AV:L/AC:L/PR:H/UI:R/Y:T/S:C/C:L/I:N/A:N/H:H 
Base Score:	6.5
Temporal:	6.5
Environment:	6.5

Did you install the last version? @olaldiko, can you please double check this and report what you obtain?

[roizpi]

I am pointing to the origin master branch, on its last commit "627eb69". Let's have a third view from @olaldiko.

My git config is:

$ git log -n 1
commit 627eb695ec50107f03a78369dabfdb4d1f459089 (HEAD -> master, origin/master, origin/HEAD)

$ git remote -v
origin	https://github.com/aliasrobotics/RVSS.git (fetch)
origin	https://github.com/aliasrobotics/RVSS.git (push)

[vmayoral]

Did you install it? Try removing it all and te-installing it as well. El El mié, 22 ago 2018 a las 19:32, Rodrigo Izquierdo < [email protected]> escribió:

…

I am pointing to the origin master branch, on its last commit "627eb69". Let's have a third view from @olaldiko <https://github.com/olaldiko>. My git config is: $ git log -n 1 commit 627eb69 (HEAD -> master, origin/master, origin/HEAD) $ git remote -v origin https://github.com/aliasrobotics/RVSS.git (fetch) origin https://github.com/aliasrobotics/RVSS.git (push) — You are receiving this because you were assigned. Reply to this email directly, view it on GitHub <#1 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABT8DvhmUvPMWhjWjnvKUnRsXDlbgYBEks5uTZWSgaJpZM4WHRCI> .

[olaldiko]

Mine's working correctly also!

~/Alias/RVSS   master  rvss RVSS:1.0/AV:L/AC:L/PR:N/UI:R/Y:T/S:C/C:L/I:L/A:H/H:H
Base Score:     8.6
Temporal:       8.6
Environment:    8.6
 ~/Alias/RVSS   master  rvss RVSS:1.0/AV:L/AC:L/PR:N/UI:R/Y:T/S:C/C:H/I:N/A:H/H:H
Base Score:     8.6
Temporal:       8.6
Environment:    8.6
 ~/Alias/RVSS   master  rvss RVSS:1.0/AV:PI/AC:L/PR:N/UI:R/Y:T/S:C/C:H/I:N/A:H/H:H
Base Score:     7.0
Temporal:       7.0
Environment:    7.0
 ~/Alias/RVSS   master  rvss RVSS:1.0/AV:PI/AC:L/PR:N/UI:R/Y:T/S:C/C:H/I:L/A:H/H:H
Base Score:     7.0
Temporal:       7.0
Environment:    7.0
 ~/Alias/RVSS   master  rvss RVSS:1.0/AV:PI/AC:L/PR:N/UI:R/Y:T/S:C/C:H/I:H/A:H/H:H
Base Score:     7.0
Temporal:       7.0
Environment:    7.0
 ~/Alias/RVSS   master  rvss RVSS:1.0/AV:L/AC:L/PR:H/UI:R/Y:T/S:C/C:L/I:N/A:N/H:H
Base Score:     6.5
Temporal:       6.5
Environment:    6.5

[roizpi]

@vmayoral, reinstalling Python library give me values now. Apologies for the initial confusion.

I will rephrase the issue straight as I originally found it on the JavaScript version of RVSS:

For instance, if we change the Integrity either to Low, Medium or High, the result remains intact as we can see on @olaldiko 's output (in this case Safety is set to Human):

Wrong results are happening when modifying C, I, A. When Scope is set to Changed and Safety is set either to Human or Environmental.

"If either Scope or Safety values are set differently, it returns the correct values."

To reproduce the issue we can use the previous report:

$ rvss RVSS:1.0/AV:PI/AC:L/PR:N/UI:R/Y:T/S:C/C:H/I:N/A:H/H:H
Base Score:	7.0
Temporal:	7.0
Environment:	7.0

$ rvss RVSS:1.0/AV:PI/AC:L/PR:N/UI:R/Y:T/S:C/C:H/I:L/A:H/H:H
Base Score:	7.0
Temporal:	7.0
Environment:	7.0

$ rvss RVSS:1.0/AV:PI/AC:L/PR:N/UI:R/Y:T/S:C/C:H/I:H/A:H/H:H
Base Score:	7.0
Temporal:	7.0
Environment:	7.0

For instance, the following test's result is wrong, I:L is giving higher score than I:H (In this case Safety is set to Environmental):

rvss RVSS:1.0/AV:PI/AC:L/PR:N/UI:R/Y:T/S:C/C:L/I:L/A:H/H:E                                                               
Base Score:	7.5
Temporal:	7.5
Environment:	7.5

rvss RVSS:1.0/AV:PI/AC:L/PR:N/UI:R/Y:T/S:C/C:L/I:H/A:H/H:E                                                                 
Base Score:	7.0
Temporal:	7.0
Environment:	7.0