Closed
Description
During differential fuzzing with github.com/pandatix/go-cvss I discovered that your implementation does not properly handle the case of a CVSS v2 environmental parsing for vectors that does not have environmental metrics defined.
This could be categorized as CWE-20.
In order to be compliant with the first.org specification you must validate vectors that does not have environmental metrics defined.
The following Go code illustrates this issue.
Notice the input vector comes from the specification section 3.3.1 for the CVE-2002-0392.
package main
import (
"fmt"
"github.com/goark/go-cvss/v2/metric"
)
func main() {
raw := "AV:N/AC:L/Au:N/C:N/I:N/A:C/E:F/RL:OF/RC:C"
vec, err := metric.NewEnvironmental().Decode(raw)
fmt.Printf("vec: %v\n", vec)
fmt.Printf("err: %v\n", err)
}produces ->
vec:
err: no metrics