Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: report on CVSS v4 #7204

Merged
merged 3 commits into from
Dec 7, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -2296,6 +2296,7 @@ private void checkForFailure(Dependency[] dependencies) throws BuildException {
for (Vulnerability v : d.getVulnerabilities()) {
if ((v.getCvssV2() != null && v.getCvssV2().getCvssData().getBaseScore() >= failBuildOnCVSS)
|| (v.getCvssV3() != null && v.getCvssV3().getCvssData().getBaseScore() >= failBuildOnCVSS)
|| (v.getCvssV4() != null && v.getCvssV4().getCvssData().getBaseScore() >= failBuildOnCVSS)
|| (v.getUnscoredSeverity() != null && SeverityUtil.estimateCvssV2(v.getUnscoredSeverity()) >= failBuildOnCVSS)
//safety net to fail on any if for some reason the above misses on 0
|| (failBuildOnCVSS <= 0.0f)) {
Expand Down
7 changes: 6 additions & 1 deletion cli/src/main/java/org/owasp/dependencycheck/App.java
Original file line number Diff line number Diff line change
Expand Up @@ -314,15 +314,20 @@ private int determineReturnCode(Engine engine, float cvssFailScore) {
&& v.getCvssV2().getCvssData().getBaseScore() != null ? v.getCvssV2().getCvssData().getBaseScore() : -1;
final Double cvssV3 = v.getCvssV3() != null && v.getCvssV3().getCvssData() != null
&& v.getCvssV3().getCvssData().getBaseScore() != null ? v.getCvssV3().getCvssData().getBaseScore() : -1;
final Double cvssV4 = v.getCvssV4() != null && v.getCvssV4().getCvssData() != null
&& v.getCvssV4().getCvssData().getBaseScore() != null ? v.getCvssV4().getCvssData().getBaseScore() : -1;
final Double unscoredCvss = v.getUnscoredSeverity() != null ? SeverityUtil.estimateCvssV2(v.getUnscoredSeverity()) : -1;

if (cvssV2 >= cvssFailScore
|| cvssV3 >= cvssFailScore
|| cvssV4 >= cvssFailScore
|| unscoredCvss >= cvssFailScore
//safety net to fail on any if for some reason the above misses on 0
|| (cvssFailScore <= 0.0f)) {
double score = 0.0;
if (cvssV3 >= 0.0) {
if (cvssV4 >= 0.0) {
score = cvssV4;
} else if (cvssV3 >= 0.0) {
score = cvssV3;
} else if (cvssV2 >= 0.0) {
score = cvssV2;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1006,6 +1006,7 @@ private void checkForFailure(Dependency[] dependencies) throws ScanAgentExceptio
for (Vulnerability v : d.getVulnerabilities()) {
if ((v.getCvssV2() != null && v.getCvssV2().getCvssData().getBaseScore() >= failBuildOnCVSS)
|| (v.getCvssV3() != null && v.getCvssV3().getCvssData().getBaseScore() >= failBuildOnCVSS)
|| (v.getCvssV4() != null && v.getCvssV4().getCvssData().getBaseScore() >= failBuildOnCVSS)
|| (v.getUnscoredSeverity() != null && SeverityUtil.estimateCvssV2(v.getUnscoredSeverity()) >= failBuildOnCVSS)
//safety net to fail on any if for some reason the above misses on 0
|| (failBuildOnCVSS <= 0.0f)) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -518,6 +518,9 @@ public int compareTo(@NotNull Vulnerability o) {
* vulnerability severity
*/
private Double bestEffortSeverityLevelForSorting() {
if (this.cvssV4 != null) {
return SeverityUtil.sortAdjustedCVSSv3BaseScore(this.cvssV4.getCvssData().getBaseScore());
}
if (this.cvssV3 != null) {
return SeverityUtil.sortAdjustedCVSSv3BaseScore(this.cvssV3.getCvssData().getBaseScore());
}
Expand All @@ -535,6 +538,9 @@ private Double bestEffortSeverityLevelForSorting() {
* unscored severities that critical is assumed.
*/
public String getHighestSeverityText() {
if (this.cvssV4 != null) {
return this.cvssV4.getCvssData().getBaseSeverity().value().toUpperCase();
}
if (this.cvssV3 != null) {
return this.cvssV3.getCvssData().getBaseSeverity().value().toUpperCase();
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,8 @@ public Collection<SarifRule> convertToSarifRules(List<Dependency> dependencies)
buildDescription(v.getDescription(), v.getKnownExploitedVulnerability()),
v.getSource().name(),
v.getCvssV2(),
v.getCvssV3());
v.getCvssV3(),
v.getCvssV4());
rules.put(v.getName(), r);
}
}
Expand All @@ -114,6 +115,8 @@ private String determineScore(Vulnerability vuln) {
} else {
return normalizeSeverity(vuln.getUnscoredSeverity().toLowerCase());
}
} else if (vuln.getCvssV4() != null && vuln.getCvssV4().getCvssData().getBaseSeverity() != null) {
return normalizeSeverity(vuln.getCvssV4().getCvssData().getBaseSeverity().value().toLowerCase());
} else if (vuln.getCvssV3() != null && vuln.getCvssV3().getCvssData().getBaseSeverity() != null) {
return normalizeSeverity(vuln.getCvssV3().getCvssData().getBaseSeverity().value().toLowerCase());
} else if (vuln.getCvssV2() != null && vuln.getCvssV2().getCvssData().getBaseSeverity() != null) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@

import io.github.jeremylong.openvulnerability.client.nvd.CvssV2;
import io.github.jeremylong.openvulnerability.client.nvd.CvssV3;
import io.github.jeremylong.openvulnerability.client.nvd.CvssV4;

/**
*
Expand Down Expand Up @@ -138,6 +139,14 @@ public class SarifRule {
* CVSS V3 field.
*/
private String cvssv3Version;
/**
* CVSS V4 field.
*/
private String cvssv4BaseScore;
/**
* CVSS V4 Vector.
*/
private String cvssv4Vector;
/**
* The source of the rule.
*/
Expand All @@ -154,7 +163,7 @@ public class SarifRule {
* @param cvssV3 the CVSS v3 score
*/
public SarifRule(String name, String shortDescription, String fullDescription,
String source, CvssV2 cvssV2, CvssV3 cvssV3) {
String source, CvssV2 cvssV2, CvssV3 cvssV3, CvssV4 cvssV4) {
this.id = name;
this.name = name;
this.shortDescription = shortDescription;
Expand Down Expand Up @@ -232,6 +241,12 @@ public SarifRule(String name, String shortDescription, String fullDescription,
}
this.cvssv3Version = cvssV3.getCvssData().getVersion().name();
}
if (cvssV4 != null && cvssV4.getCvssData() != null) {
if (cvssV4.getCvssData().getBaseScore() != null) {
this.cvssv4BaseScore = cvssV4.getCvssData().getBaseScore().toString();
}
this.cvssv4Vector = cvssV4.toString();
}
}

/**
Expand Down Expand Up @@ -757,4 +772,36 @@ public void setId(String id) {
this.id = id;
}

/**
* Get the value of CVSS4 Base Score.
*
* @return the value of CVSS4 Base Score
*/
public String getCvssv4BaseScore() {
return cvssv4BaseScore;
}

/**
* Set the value of CVSS4 Base Score.
* @param cvssv4BaseScore new value of CVSS4 Base Score
*/
public void setCvssv4BaseScore(String cvssv4BaseScore) {
this.cvssv4BaseScore = cvssv4BaseScore;
}

/**
* Get the Cvssv4 Vector.
* @return the Cvssv4 Vector
*/
public String getCvssv4Vector() {
return cvssv4Vector;
}

/**
* Set the Cvssv4 Vector.
* @param cvssv4Vector new value of Cvssv4 Vector
*/
public void setCvssv4Vector(String cvssv4Vector) {
this.cvssv4Vector = cvssv4Vector;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -537,6 +537,11 @@ public void process(Dependency dependency) {
removeVulns.add(v);
break;
}
if (v.getCvssV4() != null && v.getCvssV4().getCvssData().getBaseScore().compareTo(cvss) < 0) {
remove = true;
removeVulns.add(v);
break;
}
}
}
if (remove && !isBase()) {
Expand Down
Loading
Loading