Reflect mutual exclusion of boolean variables in the code #28
Comments
|
Clarification: Obviously it's possible for software to have all 3 of direct network exposure, process network data, and privilege escalation. However, the idea was that in the risk score, only one of them (the worst) was used. To implement this, data was created so that only one (the worst) was set to 1, and the rest were 0... so the data values were mutually exclusive. In retrospect, this wasn't the best choice; this turns out to be confusing and doesn't capture the real situation as accurately as we'd like. So instead, let's force the calculation to only use the "worst" value, and that way, data entry doesn't have to enforce a mutual-exclusive rule. In the long run it might be best to go back and update the data so that it no longer requires mutual exclusivity, and then we might refine the metric further... but this will keep the intent of the current rule and avoid confusion. |
By design boolean variables 'direct_network_exposure', 'process_network_data' and 'potential_privilege_escalation' are mutually exclusive. That is, one of these variables must be selected. Currently the code doesn't reflect that.
The text was updated successfully, but these errors were encountered: