Skip to content

fix: correct XML/JSON report CVSS field & HTML report URL mappings#8156

Merged
jeremylong merged 8 commits intodependency-check:mainfrom
chadlwilson:correct-report-cvss-mappings
Nov 30, 2025
Merged

fix: correct XML/JSON report CVSS field & HTML report URL mappings#8156
jeremylong merged 8 commits intodependency-check:mainfrom
chadlwilson:correct-report-cvss-mappings

Conversation

@chadlwilson
Copy link
Copy Markdown
Collaborator

@chadlwilson chadlwilson commented Nov 28, 2025
edited
Loading

Description of Change

Fixes a number of mapping issues with the Velocity report templates by adding IDE type checking and resolving the resultant issues highlighted.

  • XML and JSON report CVSSv4 mappings for additional fields did not seem correct
    • Vulnerable System CIA
    • Subsequent System CIA
    • Modified Vulnerable System CIA
    • Modified Subsequent System CIA
    • *requirement fields
  • JSON report does not appear to have been including CWEs correctly for non-suppressed vulns
  • XML and JSON report CVSSv2 and v3 extended fields were not mapped correctly
  • HTML reports were not mapping URLs-without-names as intended
  • chore fixups

Related issues

fixes #8155

Have test cases been added to cover the new functionality?

N/A

I assume that the existing XML and JSON schemas for these fields are defined correctly, and that the to string for the enums correctly serialise values as required by the formats, as done for existing fields that are mapping correctly.

@chadlwilson
chore: Defined convenience Velocity types for IDE support
6f1605d 
Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@chadlwilson
chore: Define convenience Velocity type mappings for IDE support
618a90c 
Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@chadlwilson
chore: Fix/suppress Javascript/CSS warnings for ease of maintenance
c92e09a 
Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@chadlwilson
fix: Fix HTML-based report rendering of urls without names
18b8302 
Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@chadlwilson
chore: remove report rendering of non-existent Identifier.description…
99fb8ea 
… field

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@chadlwilson
fix: correct rendering of CWEs in JSON report
46213f5 
Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@chadlwilson
fix: fix CVSSv4 JSON and XML report rendering of additional CIA nodes
f34f9c3 
fixes dependency-check#8155 - Vulnerable System CIA, Subsequent System CIA, Modified Vulnerable System CIA and Modified Subsequent System CIA were mapped incorrectly

Also corrects mapping the requirement fields if populated.

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@chadlwilson
fix: fix CVSSv2 and v3 JSON and XML report rendering of exploitabilit…
e0af62f 
…y/impact/obtainprivilege etc fields

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@chadlwilson chadlwilson changed the title Correct report CVSS field mappings fix: correct XML/JSON report CVSS field & HTML report URL mappings Nov 28, 2025
@chadlwilson chadlwilson marked this pull request as ready for review November 28, 2025 06:17
@boring-cyborg boring-cyborg bot added the core changes to core label Nov 28, 2025
@blackknight86 blackknight86 mentioned this pull request Nov 28, 2025
Closed
1 task
jeremylong
jeremylong approved these changes Nov 30, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@jeremylong jeremylong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@jeremylong jeremylong merged commit 5599f5b into dependency-check:main Nov 30, 2025
7 of 9 checks passed
@chadlwilson chadlwilson deleted the correct-report-cvss-mappings branch November 30, 2025 15:05
@chadlwilson chadlwilson added this to the 12.2.0 milestone Nov 30, 2025
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 31, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@jeremylong jeremylong jeremylong approved these changes

Assignees

No one assigned

Labels

core changes to core

Projects

None yet

Milestone

12.2.0

Development

Successfully merging this pull request may close these issues.

Incomplete XML and JSON reports for CVSSv4 collected from OSSIndex

2 participants

@chadlwilson @jeremylong