From 6c56b752b00557277d967d1042eee9b5c4e83be5 Mon Sep 17 00:00:00 2001
From: Jobie Winser <jobie.winser@appcheck-ng.com>
Date: Thu, 14 Dec 2023 17:16:20 +0000
Subject: [PATCH] CVSSv4, mprpic review changes

-Added additional CVSS4 imports to cvss/__init__.py
-Added additional metric checks that raise CVSS4MalformedError
-Cleaned up some left over comments
-Added additional tests for malformed CVSS4 strings
---
 cvss/__init__.py    |  3 ++-
 cvss/cvss4.py       | 12 +++++++++---
 tests/test_cvss4.py | 28 ++++++++++++++++++++++++++++
 3 files changed, 39 insertions(+), 4 deletions(-)

diff --git a/cvss/__init__.py b/cvss/__init__.py
index 110dd0f..0789572 100644
--- a/cvss/__init__.py
+++ b/cvss/__init__.py
@@ -4,7 +4,8 @@
 
 from .cvss2 import CVSS2
 from .cvss3 import CVSS3
-from .exceptions import CVSS2Error, CVSS3Error, CVSSError
+from .cvss4 import CVSS4
+from .exceptions import CVSS2Error, CVSS3Error, CVSS4Error, CVSSError
 from .interactive import ask_interactively
 
 __version__ = "2.6"
diff --git a/cvss/cvss4.py b/cvss/cvss4.py
index b2af3c3..b59b6b9 100644
--- a/cvss/cvss4.py
+++ b/cvss/cvss4.py
@@ -176,6 +176,15 @@ def parse_vector(self):
 
             if metric in self.metrics:
                 raise CVSS4MalformedError('Duplicate metric "{0}"'.format(metric))
+
+            if metric not in METRICS_VALUE_NAMES:
+                raise CVSS4MalformedError('Invalid metric key in CVSS4 vector "{0}"'.format(field))
+
+            if value not in METRICS_VALUE_NAMES[metric]:
+                raise CVSS4MalformedError(
+                    'Invalid metric value in CVSS4 vector "{0}"'.format(field)
+                )
+
             self.metrics[metric] = value
 
     def get_eq_maxes(self, lookup, eq):
@@ -213,9 +222,6 @@ def m(self, metric):
             if modified_selected != "X":
                 return modified_selected
 
-        # if metric not in self.metrics and "M" + metric not in self.metrics:
-        #     return "X"
-
         return selected
 
     def macroVector(self):
diff --git a/tests/test_cvss4.py b/tests/test_cvss4.py
index 05d8434..66e5888 100644
--- a/tests/test_cvss4.py
+++ b/tests/test_cvss4.py
@@ -5,6 +5,7 @@
 sys.path.insert(0, path.dirname(path.dirname(path.abspath(__file__))))
 
 from cvss.cvss4 import CVSS4
+from cvss.exceptions import CVSS4MalformedError
 
 WD = path.dirname(path.abspath(sys.argv[0]))  # Manage to run script anywhere in the path
 
@@ -163,6 +164,33 @@ def test_json_schema_high_msi(self):
         self.assertIn("modifiedSubsequentSystemImpactIntegrity", json_data)
         self.assertIn("subsequentSystemImpactIntegrity", json_data)
 
+    def test_invalid_metric_key(self):
+        v = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/JJ:H"
+        error = ""
+        try:
+            CVSS4(v)
+        except CVSS4MalformedError as e:
+            error = str(e)
+        self.assertEqual(error, 'Invalid metric key in CVSS4 vector "JJ:H"')
+
+    def test_invalid_metric_value(self):
+        v = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:J"
+        error = ""
+        try:
+            CVSS4(v)
+        except CVSS4MalformedError as e:
+            error = str(e)
+        self.assertEqual(error, 'Invalid metric value in CVSS4 vector "SA:J"')
+
+    def test_duplicate_metric_key(self):
+        v = "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SI:H"
+        error = ""
+        try:
+            CVSS4(v)
+        except CVSS4MalformedError as e:
+            error = str(e)
+        self.assertEqual(error, 'Duplicate metric "SI"')
+
 
 if __name__ == "__main__":
     unittest.main()