Precondition
Describe the bug
Vulnerable System CIA, Subsequent System CIA, Modified Vulnerable System CIA and Modified Subsequent System CIA nodes are missing for OSSIndex CVSSv4 vectors in JSON and XML reports.
Version of dependency-check used
The problem occurs using version 12.1.9 of the cli and gradle plugin. I haven't checked other plugins.
Probably, this behaviour is a part of dependency-check core.
Log file
Here is the part of XML report generated for pygoat vulnerable application.
<vulnerability source="OSSINDEX">
<name>CVE-2024-49766</name>
<severity>MEDIUM</severity>
<cvssV4>
<source>ossindex</source>
<type>Primary</type>
<version>4.0</version>
<vectorString>CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N</vectorString>
<attackVector>NETWORK</attackVector>
<attackComplexity>HIGH</attackComplexity>
<attackRequirements>NONE</attackRequirements>
<privilegesRequired>NONE</privilegesRequired>
<userInteraction>NONE</userInteraction>
<exploitMaturity>NOT_DEFINED</exploitMaturity>
<modifiedAttackVector>NOT_DEFINED</modifiedAttackVector>
<modifiedAttackComplexity>NOT_DEFINED</modifiedAttackComplexity>
<modifiedAttackRequirements>NOT_DEFINED</modifiedAttackRequirements>
<modifiedPrivilegesRequired>NOT_DEFINED</modifiedPrivilegesRequired>
<modifiedUserInteraction>NOT_DEFINED</modifiedUserInteraction>
<safety>NOT_DEFINED</safety>
<automatable>NOT_DEFINED</automatable>
<recovery>NOT_DEFINED</recovery>
<valueDensity>NOT_DEFINED</valueDensity>
<vulnerabilityResponseEffort>NOT_DEFINED</vulnerabilityResponseEffort>
<providerUrgency>NOT_DEFINED</providerUrgency>
<baseScore>6.300000190734863</baseScore>
<baseSeverity>MEDIUM</baseSeverity>
</cvssV4>
</vulnerability>Here are full reports:
dependency-check-report.json
dependency-check-report.xml
To Reproduce
Steps to reproduce the behavior:
git clone https://github.com/adeyosemanputra/pygoat.gitcd pygoatdocker run --rm -v .:/src owasp/dependency-check:12.1.9 --project pygoat --scan /src --out /src --format XML --format JSON --ossIndexUsername "<redact>" --ossIndexPassword "<redact>" --nvdApiKey "<redact>" --disableAssembly --disableCentral --disableRetireJS --enableExperimental- Check the XML and JSON reports for CVSSv4 vectors produced by OSSIndex (e.g. CVE-2024-49766 vector).
Expected behavior
XML and JSON reports should contain Vulnerable System CIA, Subsequent System CIA, Modified Vulnerable System CIA and Modified Subsequent System CIA nodes.
Additional context
My assumption is that OSSIndex CvssV4Data class attributes don't correspond to XML and JSON templates fileds used to generate reports.
Precondition
Describe the bug
Vulnerable System CIA, Subsequent System CIA, Modified Vulnerable System CIA and Modified Subsequent System CIA nodes are missing for OSSIndex CVSSv4 vectors in JSON and XML reports.
Version of dependency-check used
The problem occurs using version 12.1.9 of the cli and gradle plugin. I haven't checked other plugins.
Probably, this behaviour is a part of dependency-check core.
Log file
Here is the part of XML report generated for pygoat vulnerable application.
Here are full reports:
dependency-check-report.json
dependency-check-report.xml
To Reproduce
Steps to reproduce the behavior:
git clone https://github.com/adeyosemanputra/pygoat.gitcd pygoatdocker run --rm -v .:/src owasp/dependency-check:12.1.9 --project pygoat --scan /src --out /src --format XML --format JSON --ossIndexUsername "<redact>" --ossIndexPassword "<redact>" --nvdApiKey "<redact>" --disableAssembly --disableCentral --disableRetireJS --enableExperimentalExpected behavior
XML and JSON reports should contain Vulnerable System CIA, Subsequent System CIA, Modified Vulnerable System CIA and Modified Subsequent System CIA nodes.
Additional context
My assumption is that OSSIndex
CvssV4Dataclass attributes don't correspond to XML and JSON templates fileds used to generate reports.