Skip to content

Commit 91c6972

Browse files
chadlwilsonchadlwilson
authored
fix: correct parsing for CVSSv4 strings with Provider Urgency (#8377)
Signed-off-by: Chad Wilson <[email protected]>
1 parent 267e7eb commit 91c6972

File tree

2 files changed

+12
-2
lines changed

2 files changed

+12
-2
lines changed

core/src/test/java/org/owasp/dependencycheck/utils/CvssUtilTest.java

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -138,7 +138,7 @@ void testCvssV4ScoreToSeverity() {
138138
*/
139139
@Test
140140
void testVectorToCvssV4() {
141-
String vectorString = "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N";
141+
String vectorString = "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/S:N/AU:Y/R:A/V:D/RE:L/U:Amber";
142142
Double baseScore = 8.2;
143143
String source = "ossIndex";
144144
CvssV4.Type type = CvssV4.Type.PRIMARY;
@@ -157,8 +157,18 @@ void testVectorToCvssV4() {
157157
assertEquals(CvssV4Data.CiaType.NONE, result.getCvssData().getSubConfidentialityImpact());
158158
assertEquals(CvssV4Data.CiaType.NONE, result.getCvssData().getSubIntegrityImpact());
159159
assertEquals(CvssV4Data.CiaType.NONE, result.getCvssData().getSubAvailabilityImpact());
160+
assertEquals(CvssV4Data.SafetyType.NEGLIGIBLE, result.getCvssData().getSafety());
161+
assertEquals(CvssV4Data.AutomatableType.YES, result.getCvssData().getAutomatable());
162+
assertEquals(CvssV4Data.RecoveryType.AUTOMATIC, result.getCvssData().getRecovery());
163+
assertEquals(CvssV4Data.ValueDensityType.DIFFUSE, result.getCvssData().getValueDensity());
164+
assertEquals(CvssV4Data.VulnerabilityResponseEffortType.LOW, result.getCvssData().getVulnerabilityResponseEffort());
165+
assertEquals(CvssV4Data.ProviderUrgencyType.AMBER, result.getCvssData().getProviderUrgency());
160166
assertEquals(CvssV4Data.SeverityType.HIGH, result.getCvssData().getBaseSeverity());
161167
assertEquals(8.2, result.getCvssData().getBaseScore(), 0);
168+
assertNull(result.getCvssData().getThreatScore());
169+
assertNull(result.getCvssData().getThreatSeverity());
170+
assertNull(result.getCvssData().getEnvironmentalScore());
171+
assertNull(result.getCvssData().getEnvironmentalSeverity());
162172
}
163173

164174
}

pom.xml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -912,7 +912,7 @@ Copyright (c) 2012 - Jeremy Long
912912
<dependency>
913913
<groupId>io.github.jeremylong</groupId>
914914
<artifactId>open-vulnerability-clients</artifactId>
915-
<version>9.0.3</version>
915+
<version>9.0.4</version>
916916
</dependency>
917917
<dependency>
918918
<groupId>org.anarres.jdiagnostics</groupId>

0 commit comments

Comments
 (0)