Precondition
Describe the bug
While updating the Gradle Dependency Check plugin to 12.1.3 (from 8.2.1) I noticed that the JSON report now has fields regarding CVSS v4 scores.
Unfortunately, to test my JSON deserialization I couldn't find data with cvssv4 in the JSON report of our project. Then I noticed that those scores are incorrectly given as CVSS v2.
See for example CVE-2025-52999 in Jackson. At NVD, it has a v4 score of 8.7 with a vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Snippet of JSON report:
"vulnerabilities": [
{
"source": "OSSINDEX",
"name": "CVE-2025-52999",
"severity": "HIGH",
"cvssv2": {
"score": 8.699999809265137,
"accessVector": "NETWORK",
"accessComplexity": "LOW",
"authenticationr": "$enc.json($vuln.cvssV2.cvssData.authentication)",
"confidentialityImpact": "$enc.json($vuln.cvssV2.cvssData.confidentialityImpact)",
"integrityImpact": "$enc.json($vuln.cvssV2.cvssData.integrityImpact)",
"availabilityImpact": "$enc.json($vuln.cvssV2.cvssData.availabilityImpact)",
"severity": "HIGH",
"version": "2.0"
},
...
HTML report:
Version of dependency-check used
The problem occurs using version 12.1.3 of the Gradle plugin.
To Reproduce
Steps to reproduce the behavior:
Run the report with a library that has a newer vulnerability with a CVSS v4 score, for example Jackson <2.15.0 and CVE-2025-52999
Expected behavior
The CVSS v4 score should show up as expected.
Precondition
Describe the bug
While updating the Gradle Dependency Check plugin to 12.1.3 (from 8.2.1) I noticed that the JSON report now has fields regarding CVSS v4 scores.
Unfortunately, to test my JSON deserialization I couldn't find data with
cvssv4in the JSON report of our project. Then I noticed that those scores are incorrectly given as CVSS v2.See for example CVE-2025-52999 in Jackson. At NVD, it has a v4 score of 8.7 with a vector string of
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:NSnippet of JSON report:
HTML report:
Version of dependency-check used
The problem occurs using version 12.1.3 of the Gradle plugin.
To Reproduce
Steps to reproduce the behavior:
Run the report with a library that has a newer vulnerability with a CVSS v4 score, for example Jackson <2.15.0 and CVE-2025-52999
Expected behavior
The CVSS v4 score should show up as expected.