Precondition
Describe the bug
The logic for parsing CVSS scores is flawed with some CVEs.
Failed to fetch component-report for: pkg:maven/org.springframework/spring-web@4.3.30.RELEASE
java.lang.IllegalArgumentException: Invalid CVSS base score: 6.900000095367432
at org.owasp.dependencycheck.utils.CvssUtil.toSeverityType(CvssUtil.java:244)
source_up
at org.owasp.dependencycheck.utils.CvssUtil.vectorToCvssV4(CvssUtil.java:303)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:338)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$4(OssIndexAnalyzer.java:280)
at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1708)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:151)
at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:174)
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.base/java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:601)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:281)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:189)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
at java.base/java.lang.Thread.run(Thread.java:1583)
Failed to fetch component-report for: pkg:maven/com.google.code.gson/gson@2.8.9
java.lang.IllegalArgumentException: Invalid CVSS base score: 6.900000095367432
at org.owasp.dependencycheck.utils.CvssUtil.toSeverityType(CvssUtil.java:244)
at org.owasp.dependencycheck.utils.CvssUtil.vectorToCvssV4(CvssUtil.java:303)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:338)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$4(OssIndexAnalyzer.java:280)
source_up
at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1708)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:151)
at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:174)
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.base/java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:601)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:281)
at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:189)
at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:317)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
at java.base/java.lang.Thread.run(Thread.java:1583)
Version of dependency-check used
12.1.5
To Reproduce
Check scores for something like pkg:maven/com.google.code.gson/gson@2.8.9 which have a CVE with CVSSv4 of 6.9
https://ossindex.sonatype.org/component/pkg:maven/com.google.code.gson/gson@2.8.9
Expected behavior
CVSS scores of 6.9 (etc) can be parsed.
Additional context
The logic in #7899 is flawed, as it is making comparisons on floating point numbers which are subject to loss of precision and rarely exactly equal to fractional values, and thus fails to handle some values:
> 0, < 0.1> 3.9, < 4> 6.9, < 7> 8.9, < 9
This happens because the OSS Index API client binds the value to a float which lacks sufficient precision, and is then coerced to a double in ODC.
The score probably needs one of
- data type changed to something non floating point or with arbitrary precision
- to be multiplied by 10 and rounded to an integer before comparisons
- boundaries need to be corrected so they are contiguous as appropriate for a floating point comparison
Precondition
Describe the bug
The logic for parsing CVSS scores is flawed with some CVEs.
Version of dependency-check used
12.1.5
To Reproduce
Check scores for something like
pkg:maven/com.google.code.gson/gson@2.8.9which have a CVE with CVSSv4 of6.9https://ossindex.sonatype.org/component/pkg:maven/com.google.code.gson/gson@2.8.9
Expected behavior
CVSS scores of 6.9 (etc) can be parsed.
Additional context
The logic in #7899 is flawed, as it is making comparisons on floating point numbers which are subject to loss of precision and rarely exactly equal to fractional values, and thus fails to handle some values:
> 0, < 0.1> 3.9, < 4> 6.9, < 7> 8.9, < 9This happens because the OSS Index API client binds the value to a
floatwhich lacks sufficient precision, and is then coerced to a double in ODC.The score probably needs one of