Skip to content

Fix commercial averages scoring bug: restore * 100 scaling#291

Merged
davewichers merged 1 commit intoOWASP-Benchmark:generalizeScoringfrom
TheAuditorTool:fix/commercial-averages-scoring-bug
Apr 13, 2026
Merged

Fix commercial averages scoring bug: restore * 100 scaling#291
davewichers merged 1 commit intoOWASP-Benchmark:generalizeScoringfrom
TheAuditorTool:fix/commercial-averages-scoring-bug

Conversation

@TheAuditorTool
Copy link
Copy Markdown

@TheAuditorTool TheAuditorTool commented Apr 13, 2026

Summary

  • Commercial average scores displayed as 0/1 instead of proper percentages (e.g., 47, 38)
  • Root cause: the CategoryResults -> CategoryMetrics refactor dropped * 100 from the commercial score variable in ScatterVulns.makeLegend()
  • Non-commercial score accumulation also missing * 100, causing overall average to mix 0-1 rates with 0-100 percentages
  • Test values in CommercialAveragesTableTest were simultaneously scaled from 0-1 to 0-100 during refactor, masking the bug (two errors cancelling out)

Changes

  • ScatterVulns.java:381 - Add * 100 to non-commercial score accumulation
  • ScatterVulns.java:448 - Add * 100 to commercial score variable
  • CommercialAveragesTableTest.java - Revert test CategoryMetrics values to 0-1 rates matching production calculateMetrics() output

All existing test assertions unchanged — same expected output (47, 38, 62, 58, etc.)

Additional bugs found in generalizeScoring

  1. Unused variable — ScatterVulns.java:434: toolMetrics fetched but never referenced
  2. Asymmetric comparison — ScatterVulns.java:479: commercial low uses <= vs non-commercial < at line 387
  3. Latent NPE — Tool.getCategoryGroupMetrics(): per-category lookup can return null silently
  4. ToolReport triangle indicators — ToolReport.java:230,247,263: 100 * x - y where both x and y are 0-1 rates; above/below-average indicators always wrong

@TheAuditorTool
fix: restore * 100 scaling for commercial and non-commercial score ac…
0dae9c7 
…cumulation

The CategoryResults -> CategoryMetrics refactor accidentally dropped the
* 100 multiplier from the commercial score variable in ScatterVulns.makeLegend(),
causing commercial averages to display as 0/1 instead of proper percentages.

The non-commercial score accumulation was also missing * 100, causing the
overall average (which blends commercial + non-commercial totals) to mix
0-1 rates with 0-100 percentages.

Fix: add * 100 to both score accumulation paths, matching the existing
display-score pattern already used for low/high comparison at line 386.

Test values in CommercialAveragesTableTest were simultaneously scaled from
0-1 to 0-100 during the refactor, masking the bug (two errors cancelling
out). Reverted to 0-1 rates to match what calculateMetrics() produces in
production. All test assertions unchanged -- same expected output.
@davewichers davewichers merged commit 91b44c4 into OWASP-Benchmark:generalizeScoring Apr 13, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TheAuditorTool @davewichers