From fe3ad9b4858eb97bacbf27c7daf15f048405f479 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 7 Dec 2024 07:52:42 -0500
Subject: [PATCH] fix: use CvssV4

---
 .../org/owasp/dependencycheck/dependency/Vulnerability.java | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java b/core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
index aa2625befde..93aa9cf9a2e 100644
--- a/core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
+++ b/core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
@@ -518,6 +518,9 @@ public int compareTo(@NotNull Vulnerability o) {
      * vulnerability severity
      */
     private Double bestEffortSeverityLevelForSorting() {
+        if (this.cvssV4 != null) {
+            return SeverityUtil.sortAdjustedCVSSv3BaseScore(this.cvssV4.getCvssData().getBaseScore());
+        }
         if (this.cvssV3 != null) {
             return SeverityUtil.sortAdjustedCVSSv3BaseScore(this.cvssV3.getCvssData().getBaseScore());
         }
@@ -535,6 +538,9 @@ private Double bestEffortSeverityLevelForSorting() {
      * unscored severities that critical is assumed.
      */
     public String getHighestSeverityText() {
+        if (this.cvssV4 != null) {
+            return this.cvssV4.getCvssData().getBaseSeverity().value().toUpperCase();
+        }
         if (this.cvssV3 != null) {
             return this.cvssV3.getCvssData().getBaseSeverity().value().toUpperCase();
         }