Skip to content

fix: Use unscored severity only in absence of any CVSS baseScore#7530

Merged
jeremylong merged 1 commit intomainfrom
fix/issue-7528
Mar 16, 2025
Merged

fix: Use unscored severity only in absence of any CVSS baseScore#7530
jeremylong merged 1 commit intomainfrom
fix/issue-7528

Conversation

@aikebah
Copy link
Copy Markdown
Collaborator

@aikebah aikebah commented Mar 15, 2025

fixes #7528

Description of Change

Only use the fabricated high-watermark guestimated CVSSv2 score for breaking the build when there is not any datasource that has published a CVSS basescore for the vulnerability.

Have test cases been added to cover the new functionality?

no

@aikebah
fix: Use unscored severity only in absence of any CVSS baseScore
d81b5f1 
fixes #7528

Only use the fabricated high-watermark guestimated CVSSv2 score for
breaking the build when there is not any datasource that has published
a CVSS basescore for the vulnerability.
@boring-cyborg boring-cyborg bot added ant changes to ant cli changes to the cli core changes to core maven changes to the maven plugin labels Mar 15, 2025
aikebah added a commit to aikebah/dependency-check-gradle that referenced this pull request Mar 15, 2025
@aikebah
fix: Use unscored severity only in absence of any CVSS baseScore and …
9105078 
…add CVSSv4 score evaluation

Counterpart for gradle-plugin of
dependency-check/DependencyCheck#7530

Fixes dependency-check/DependencyCheck#7528 in the gradle plugin
and adds the still missing CVSSv4 score to the threshold evaluations
@aikebah aikebah mentioned this pull request Mar 15, 2025
Merged
jeremylong
jeremylong approved these changes Mar 16, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@jeremylong jeremylong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jeremylong jeremylong merged commit 91ffcf6 into main Mar 16, 2025
5 checks passed
@jeremylong jeremylong deleted the fix/issue-7528 branch March 16, 2025 11:43
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 16, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jeremylong jeremylong jeremylong approved these changes

Assignees

No one assigned

Labels

ant changes to ant cli changes to the cli core changes to core maven changes to the maven plugin

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Build fails at CVSS 9.8 even when failOnCVSS is set to 10.0 for cve-2021-23369

2 participants

@aikebah @jeremylong