CVSS v4 calculator

[felix-caboff]

Is your feature request related to a problem? Please describe.
The current in-built calculator is for version 3.x of CVSS. There seems to be a lot of good improvements made in v4.0 that has just been released.

Describe the solution you'd like
Can we please convert to v4.0

Describe alternatives you've considered
Perhaps we should consider allowing the system owner choose which version they want to use?

Additional context
See the new FIRST calculator here

[chrismaddalena]

We can look into this. Changing the calculator is a significant change, so it's not something that can be done too easily. The feature was originally a community contribution. The person who did it used this version of CVSS v3. There's a recent PR for expanding the CVSS v3 calculator. I'd like to add an option for CVSS v4, but it would have to be an option for people to pick v3 or v4. I'm not sure when that will be possible, but maybe sometime in 2024.

[felix-caboff]

Just preventing this from going stale. Latest is in this #387. Really sorry I haven't had a chance to review it yet - I'm not really set up for dev etc and I have precious little spare work time.

[domwhewell-sage]

Hi All,
This might help
On all Finding edit views (ReportFindingLink and Finding) a CVSSv4 tab is displayed in the "CVSS Calculator" dropdown. This is essentially an iframe that displays the prebuilt vue.js application by FIRST.org (https://github.com/FIRSTdotorg/cvss-v4-calculator)

There is also some custom js to extract the vector and cvss score from this iframe

I think this is the best way of implementing a users choice between CVSS Calculators, Its probably best if a CVSSv3.1 calculator is added as a tab in another pull request

[chrismaddalena]

No problem @felix-caboff! Everyone is busy, but this hasn't been forgotten. Feedback and testing will be very welcome whenever someone has the time.

[felix-caboff]

I think this is the best way of implementing a users choice between CVSS Calculators, Its probably best if a CVSSv3.1 calculator is added as a tab in another pull request

@domwhewell-sage just a thought for you. My understanding is that the difference between CVSSv3.0 and CVSSv3.1 is not a mechanics change, but a wording clarification and that the two versions essentially operate the same. I appreciate this is an over simplification, but, I wonder how much demand there will actually be for two sub-versions of CVSSv3? Adding the extra may not be worth any time at all. Happy in any case, just wanted to raise this in case it became complex.

[domwhewell-sage]

Hi @felix-caboff, I think there are some slight mechanics changes in the "Impact Sub-formula" in the Environmental Metric Group but other than that the majority of the changes are restructuring and wording changes.

I already have a private fork which is using CVSSv3.1 so if there is enough demand for it I can quickly whip up a new tab pointing to that js calculator (Granted it is not as easy as CVSSv4.0 with the iframe)

[domwhewell-sage]

What can I do to help move this pull request along?

[felix-caboff]

I have a feeling this is just getting someone to test this. I have a potential half day spare next week and will try and do this then. @domwhewell-sage I notice that your PR for this has "This branch is out-of-date with the base branch". If you get a chance please can you check if this works with the current release and then, "all things being equal" next week, I will update my instance and then apply your branch to do the testing.

[domwhewell-sage]

Hey @felix-caboff that PR is ready to test now I just had to merge the new database changes that had been made recently and a small tweak to parse an existing score if it existed.

[chrismaddalena]

@ColonelThirtyTwo is also working on this to improve the JavaScript code from FIRST and make it possible to pick which calculator version you use.

[felix-caboff]

Thanks for the reminder @chrismaddalena, does that imply that the branch from @domwhewell-sage wouldn't be used?

[felix-caboff]

I have tested both of the potential pull requests and from a UX perspective there is very little difference between them.

I think either would be fine but if I were choosing I would probably say that it may be nicer to not use an iFrame and therefore go with #509

My only comment for both of these options is that I can't see anyway of setting a default CVSSv3 vs CVSSv4. I know in our environment we are going to quickly adopt v4 but with the current PRs we will have to actively choose that each time. It would be nice to be able to set that globally as a default.

[felix-caboff]

So it seems I was having a daft moment in my previous comment. I realised my mistake late last night.

I have now tested both of these and they are a bit different. I still think that not using an iFrame would be preferable and it would still be nice to have a config option that allows an environment to prefer / default to a particular version.

But #509 is in need of a tiny bit more prettiness but it is pretty much ready. It also only deals with the base score and none of the wider environmental pieces. I can see why some people would want just the base score, but, I can see why others would want the rest. Perhaps once the base score tab is ready, we could look to have another tab which is "CVSS v4 - all"?

[chrismaddalena]

I'm dropping a note in here because there has been more discussion in the PRs. We are ready to merge #509 unless anyone sees anything is missing.