cvss/v31vector.go: fix temporal score, add temporal score tests

1 files changed, 28 insertions, 3 deletions

diff --git a/cvss/v31vector.go b/cvss/v31vector.go
index a9d5205..b191ce0 100644
--- a/cvss/v31vector.go
+++ b/cvss/v31vector.go
@@ -119,6 +119,18 @@ func isV31VectorString(s string) bool {
          v31VecRe.MatchString(s)
 }
 
+// Does the map have at least one of the keys needed for a temporal
+// score defined?
+func hasTemporalScoreKeys(keys map[Key]v3Metric) bool {
+  ecm, ecm_ok := keys[v3ExploitCodeMaturity] // E
+  rl, rl_ok := keys[v3RemediationLevel] // RL
+  rc, rc_ok := keys[v3ReportConfidence] // RC
+
+  return (ecm_ok && ecm != v3ENotDefined) ||
+         (rl_ok && rl != v3RLNotDefined) ||
+         (rc_ok && rc != v3RCNotDefined)
+}
+
 // roundup implemention (from CVSS v3.1 spec, appendix A)
 func roundup(val float64) float64 {
   return math.Ceil(10.0 * val) / 10.0
@@ -343,8 +355,18 @@ func (v v31Vector) Scores() (Scores, error) {
     // calculate impact
     impact := 0.0
     if scopeChanged {
-      // impact = 7.52 * (iss - 0.029) - 3.25 * math.Pow(iss - 0.02, 15)
-      impact = 6.42 * iss
+      impact = 7.52 * (iss - 0.029) - 3.25 * math.Pow(iss - 0.02, 15)
+
+      // adjust privileges required based on scopeChanged
+      // (CVSS v3.1 spec, section 7.4, table 16)
+      if pr, ok := keys[v3PrivilegesRequired]; ok {
+        switch pr {
+        case v3PRLow: // PR:L
+          privsRequired = 0.68
+        case v3PRHigh: // PR:H
+          privsRequired = 0.50
+        }
+      }
     } else {
       impact = 6.42 * iss
     }
@@ -362,7 +384,10 @@ func (v v31Vector) Scores() (Scores, error) {
   }
 
   // temporal score (CVSS v3.1 spec, section 7.2)
-  tempScore := roundup(baseScore * ecm * remediationLevel * reportConfidence)
+  tempScore := 0.0
+  if hasTemporalScoreKeys(keys) {
+    tempScore = roundup(baseScore * ecm * remediationLevel * reportConfidence)
+  }
 
   // environmental score (CVSS v3.1 spec, section 7.3)
   //