security-advisories icon indicating copy to clipboard operation
security-advisories copied to clipboard
verified publisher icon haskell

Cvss4.0 support

Open unorsk opened this issue 1 year ago β€’ 8 comments

Fixing add CVSS 4.0 support

unorsk avatar Jun 12 '24 19:06 unorsk

Thanks for the updates @unorsk. I'll try and review them this weekend.

frasertweedale avatar Jul 26 '24 07:07 frasertweedale

Thanks for the updates @unorsk. I'll try and review them this weekend.

@frasertweedale You can take a look at it if you want, but this isn't ready yet :) There is one thing I commented out in the tests that I am going to fix and lots of other places in the code that need some love. One of the reasons it took me so long is that I made a rewrite of the reference implementation in TypeScript which I used as a reference for my Haskell implementation, that (not surprisingly) isn't very idiomatic. And then there is a new metric Urgency that can have values 'Red / Amber / Green / Clear' πŸ™ˆ in contrast to the rest of the metrics which can only have single character values – haven't solved this one yet.

unorsk avatar Jul 26 '24 07:07 unorsk

@frasertweedale, it's kind of ready πŸ™ˆ

unorsk avatar Jul 29 '24 19:07 unorsk

@frasertweedale, it's kind of ready πŸ™ˆ

Thanks @unorsk. I've had a quick look; I'll need to set aside some time to understand the implementation - perhaps (hopefully!) this weekend.

frasertweedale avatar Jul 30 '24 14:07 frasertweedale

So, I've had a look and it's a solid start - thanks @unorsk! I'm working on some improvements using sum types for the MicroVectors and a total function for the score lookup, rather than the maps and lookup tables.

It seems that the scoring function is underspecified in the spec doc. There are some behaviours in the reference implementation that, from what I can see, aren't explained in the spec but rather fill in gaps or resolve ambiguities. I might be missing something but the spec seems rather poor or at least incomplete. Sigh...

frasertweedale avatar Aug 05 '24 08:08 frasertweedale

So, I've had a look and it's a solid start - thanks @unorsk! I'm working on some improvements using sum types for the MicroVectors and a total function for the score lookup, rather than the maps and lookup tables.

Yeah, sure.

It seems that the scoring function is underspecified in the spec doc. There are some behaviours in the reference implementation that, from what I can see, aren't explained in the spec but rather fill in gaps or resolve ambiguities. I might be missing something but the spec seems rather poor or at least incomplete. Sigh...

The spec isn't great πŸ˜…

unorsk avatar Aug 05 '24 08:08 unorsk

The implemenation wasn't great and there was some room for improvement as far as I remember πŸ˜… But as I said - the spec could've been better and maybe I could help somehow to move the case further? Even though it's been almost a year and I already forgot some of the details πŸ™ˆ

unorsk avatar May 16 '25 06:05 unorsk

The implemenation wasn't great and there was some room for improvement as far as I remember πŸ˜… But as I said - the spec could've been better and maybe I could help somehow to move the case further? Even though it's been almost a year and I already forgot some of the details πŸ™ˆ

Yeah, I have a WIP branch with a lot of improvements, but I ran out of capacity to complete the work. I'll push my branch before ZuriHac in case someone wants to try and make progress. Cheers!

frasertweedale avatar May 16 '25 08:05 frasertweedale