test3

ZakaHaceCosas · ZakaHaceCosas · commit 264bd2c3c263 · 2025-04-13T16:29:26.000+02:00
diff --git a/docs/learn/audit.md b/docs/learn/audit.md
@@ -74,28 +74,40 @@ graph TD
 
 ### Step three: evaluation
 
-Your questions are evaluated using a straightforward positive-negative system: responses indicating 'positive' information add +1 to the positive count, while those indicating 'negative' information add +1 to the negative count.
+Your questions are evaluated using a straightforward positive-negative system: responses indicating 'positive' information add up to the positive count, while those indicating 'negative' information add up to the negative count.
 
-These counts are used to compute the RF, based on the following formula:
+These counts and the SB and SDB values are used to compute the RF, based on the following formula:
 
-$$
-R.F. = \left( \frac{\text{positives}}{\text{positives} + \text{negatives}} \right) \times 100
-$$
+\[
+T = P + (N \cdot S_d)
+\]
 
-There is a `--strict` flag that can be passed to the audit command that adds an additional **risk bump**, based on the severity of the most-severe identified vulnerability, as follows:
+\[
+\text{RF} =
+\begin{cases}
+0, & \text{if } T = 0 \\
+\min\left(100, \max\left(0, \dfrac{N \cdot S_b}{T} \cdot 100\right)\right), & \text{otherwise}
+\end{cases}
+\]
 
-$$
-Strict R.F. = \frac{R.F. + (R.B. \times 100)}{2}
-$$
+\[
+\text{donde:} \quad
+\begin{aligned}
+P &= \text{positives} \\
+N &= \text{negatives} \\
+S_d &= \text{severityDeBump (indirectly bumps RF)} \\
+S_b &= \text{severityBump (directly bumps RF)}
+\end{aligned}
+\]
 
-RB values are as follows:
+SB and SDB values are as follows:
 
-| Severity |   RB |
-| :------- | ---: |
-| critical |    1 |
-| high     | 0.75 |
-| moderate |  0.5 |
-| low      | 0.25 |
+| Severity |   SB |  SDB |
+| :------- | ---: | ---: |
+| critical | 2.00 | 0.25 |
+| high     | 1.75 | 0.50 |
+| moderate | 1.50 | 0.75 |
+| low      | 1.25 | 1.00 |
 
 ---
 
@@ -115,30 +127,5 @@ Where `EXP` indicates experimental, `CAVEAT` indicates partial support / support
 | v2.1.0     | EXP        | NO          | NO          | NO   | NO  | NO | NO    |
 
 *[RF]: Risk Factor; a percentage computed by us to estimate the joint impact of all vulnerabilities of a NodeJS project.
-*[RB]: Risk Bump; a 0.25-1 number that's used to bump the RF based on the highest severity (as in low/moderate/high/critical) of a found vulnerability within a project.
-
----
-
-testing in production be like:
-
-\[
-\text{total} = P + (N \cdot S_d)
-\]
-
-\[
-\text{percentage} =
-\begin{cases}
-0, & \text{si } \text{total} = 0 \\
-\min\left(100, \max\left(0, \dfrac{N \cdot S_b}{\text{total}} \cdot 100\right)\right), & \text{en otro caso}
-\end{cases}
-\]
-
-\[
-\text{donde:} \quad
-\begin{aligned}
-P &= \text{positives} \\
-N &= \text{negatives} \\
-S_d &= \text{severityDeBump (reduce el total)} \\
-S_b &= \text{severityBump (aumenta el riesgo)}
-\end{aligned}
-\]
+*[SB]: Severity Bump; a 1.25-2 number that's used to bump the RF based on the highest severity (as in low/moderate/high/critical) of a found vulnerability within a project.
+*[SDB]: Severity DeBump; a 0.25-1 number that's used to de-bump the negative count prior computing the RF based on the highest severity (as in low/moderate/high/critical) of a found vulnerability within a project.
