Merged
Conversation
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds backend support for ingesting, persisting, exposing, and querying CVSS v4 scores/vectors across multiple vulnerability sources (NVD API/feed, GitHub advisories, Trivy, OSV, OSS Index), and updates severity calculation to prefer CVSSv4 when present.
Changes:
- Extend the data model and persistence/query layers to store CVSSv4 score/vector and support filtering/sorting by CVSSv4.
- Update parsers/mirroring/scanners to populate CVSSv4 fields and prefer v4 for severity where applicable.
- Add/extend unit and resource tests + fixtures to validate CVSSv4 ingestion and API responses.
Reviewed changes
Copilot reviewed 39 out of 39 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/test/resources/unit/osv.jsons/osv-GHSA-q2x7-8rv6-6q7h.json | Adds OSV fixture containing CVSSv4 + CVSSv3 severity entries. |
| src/test/resources/unit/nvd/feed/nvdcve-2.0-2022.json | Extends NVD feed fixture with cvssMetricV40 sample. |
| src/test/resources/unit/nvd/api/jsons/cve-2025-9377.json | Adds NVD API v2.0 response fixture including CVSSv4 metrics. |
| src/test/java/org/dependencytrack/util/VulnerabilityUtilTest.java | Adds CVSSv4 severity normalization + updated getSeverity tests. |
| src/test/java/org/dependencytrack/tasks/scanners/TrivyAnalysisTaskTest.java | Verifies CVSSv4 vector/score mapping from Trivy protobufs. |
| src/test/java/org/dependencytrack/tasks/scanners/OssIndexAnalysisTaskTest.java | Adds OSS Index CVSSv4 ingestion test coverage. |
| src/test/java/org/dependencytrack/tasks/OsvDownloadTaskTest.java | Adds OSV severity calculation + mapping tests for CVSSv4. |
| src/test/java/org/dependencytrack/tasks/NistMirrorTaskTest.java | Asserts NVD feed mirroring maps CVSSv4 and affects severity. |
| src/test/java/org/dependencytrack/tasks/NistApiMirrorTaskTest.java | Adds NVD API mirroring test for CVSSv4 ingestion. |
| src/test/java/org/dependencytrack/tasks/GitHubAdvisoryMirrorTaskTest.java | Adds GitHub advisory CVSSv4 handling test coverage. |
| src/test/java/org/dependencytrack/resources/v1/VulnerabilityResourceTest.java | Ensures REST create/update includes CVSSv4 vector/score and updated severity. |
| src/test/java/org/dependencytrack/resources/v1/CalculatorResourceTest.java | Adds /v1/calculator/cvss test for CVSSv4 vectors. |
| src/test/java/org/dependencytrack/parser/osv/OsvAdvisoryParserTest.java | Adds OSV advisory parsing test for CVSSv4 severity entries. |
| src/test/java/org/dependencytrack/notification/publisher/WebhookPublisherTest.java | Updates webhook payload assertions to include cvssv4. |
| src/test/java/org/dependencytrack/notification/publisher/AbstractPublisherTest.java | Adds CVSSv4 score to shared vulnerability test builder. |
| src/test/java/org/dependencytrack/model/VulnerabilityTest.java | Adds CVSSv4 vector/score field tests and severity expectations. |
| src/test/java/org/dependencytrack/model/GroupedFindingTest.java | Updates grouped finding mapping to include CVSSv4 score. |
| src/test/java/org/dependencytrack/model/FindingTest.java | Updates finding mapping to include CVSSv4 score. |
| src/test/java/org/dependencytrack/integrations/FindingPackagingFormatTest.java | Updates Finding construction for new CVSSv4 parameter. |
| src/main/java/org/dependencytrack/util/VulnerabilityUtil.java | Extends severity calculation/normalization utilities to accept CVSSv4. |
| src/main/java/org/dependencytrack/util/NotificationUtil.java | Includes CVSSv4 score in notification vulnerability JSON. |
| src/main/java/org/dependencytrack/upgrade/v4110/v4110Updater.java | Updates severity recomputation call to new getSeverity signature. |
| src/main/java/org/dependencytrack/tasks/scanners/OssIndexAnalysisTask.java | Parses CVSSv4 vectors and applies v4 scores when present. |
| src/main/java/org/dependencytrack/tasks/OsvDownloadTask.java | Maps OSV CVSSv4 vector + uses it for severity derivation. |
| src/main/java/org/dependencytrack/resources/v1/VulnerabilityResource.java | Validates CVSSv4 vector + recalculates v4 score from vector. |
| src/main/java/org/dependencytrack/resources/v1/FindingResource.java | Adds CVSSv4 range filters to findings endpoints. |
| src/main/java/org/dependencytrack/resources/v1/CalculatorResource.java | Updates API docs/messages to accept CVSSv4 vectors. |
| src/main/java/org/dependencytrack/persistence/VulnerabilityQueryManager.java | Persists CVSSv4 vector/score changes via diffing. |
| src/main/java/org/dependencytrack/persistence/FindingsSearchQueryManager.java | Adds CVSSv4 sorting/filtering + fixes result index offsets. |
| src/main/java/org/dependencytrack/parser/vulndb/ModelConverter.java | Updates severity calculation call to include CVSSv4 score. |
| src/main/java/org/dependencytrack/parser/trivy/TrivyParser.java | Maps Trivy v4 vector/score into Vulnerability fields. |
| src/main/java/org/dependencytrack/parser/osv/model/OsvAdvisory.java | Adds CVSSv4 vector field to OSV advisory model. |
| src/main/java/org/dependencytrack/parser/osv/OsvAdvisoryParser.java | Extracts CVSSv4 vector from OSV severity[]. |
| src/main/java/org/dependencytrack/parser/nvd/api20/ModelConverter.java | Ingests NVD API CVSSv4 metrics and persists score/vector. |
| src/main/java/org/dependencytrack/parser/github/ModelConverter.java | Applies CVSSv4 score/vector from GitHub advisory payloads. |
| src/main/java/org/dependencytrack/parser/cyclonedx/util/ModelConverter.java | Emits CycloneDX CVSSv4 ratings and shares CVSS3/4 severity mapping. |
| src/main/java/org/dependencytrack/model/Vulnerability.java | Adds CVSSv4 DB columns + getters/setters + applyV4Score. |
| src/main/java/org/dependencytrack/model/GroupedFinding.java | Adds CVSSv4 score to grouped findings query + mapping. |
| src/main/java/org/dependencytrack/model/Finding.java | Adds CVSSv4 score to findings queries + mapping/severity derivation. |
Comments suppressed due to low confidence (1)
src/main/java/org/dependencytrack/resources/v1/CalculatorResource.java:83
- Now that this endpoint accepts CVSSv4 vectors,
cvss.getBakedScores()can yieldNaNfor fields that are not defined for v4 (impact/exploitability/temporal/environmental). Thosedoublevalues will serialize as the string "NaN" (to keep JSON valid), which breaks the declared numeric schema and can surprise API consumers. Consider switching theScorerecord fields to boxedDoubleand mappingNaNtonull(or omitting those fields) when the underlying score is not applicable.
public Response getCvssScores(
@Parameter(description = "A valid CVSSv2, CVSSv3, or CVSSv4 vector", required = true)
@QueryParam("vector") String vector) {
final String invalidVector = "An invalid CVSSv2, CVSSv3, or CVSSv4 vector submitted.";
final var cvss = CvssUtil.parse(vector);
if (cvss == null) {
return Response.status(Response.Status.BAD_REQUEST).entity(invalidVector).build();
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
1 task
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 41 out of 41 changed files in this pull request and generated 3 comments.
Comments suppressed due to low confidence (1)
src/main/java/org/dependencytrack/resources/v1/CalculatorResource.java:82
- CalculatorResource now accepts CVSSv4 vectors, but for CVSSv4 the baked sub-scores (impact/exploitability/temporal/environmental/modifiedImpact) can be NaN, which ends up serialized as the string "NaN" (see CalculatorResourceTest). This produces mixed JSON types (number vs string) and is hard for API clients to consume. Consider changing the response model to use boxed Doubles and convert NaN -> null (or omit unsupported fields) so the JSON remains type-stable and valid for all vectors.
public Response getCvssScores(
@Parameter(description = "A valid CVSSv2, CVSSv3, or CVSSv4 vector", required = true)
@QueryParam("vector") String vector) {
final String invalidVector = "An invalid CVSSv2, CVSSv3, or CVSSv4 vector submitted.";
final var cvss = CvssUtil.parse(vector);
if (cvss == null) {
return Response.status(Response.Status.BAD_REQUEST).entity(invalidVector).build();
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
src/main/java/org/dependencytrack/parser/nvd/api20/ModelConverter.java
Outdated
Show resolved
Hide resolved
Coverage summary from CodacySee diff coverage on Codacy
Coverage variation details
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: Diff coverage details
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: See your quality gate settings Change summary preferences |
Co-authored-by: Tobias Gies <[email protected]> Signed-off-by: nscuro <[email protected]>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 41 out of 41 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
5 tasks
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds CVSSv4 support.
Credit to @tobiasgies for doing the grunt of this work in #5456.
Addressed Issue
Closes #4707
Frontend PR: DependencyTrack/frontend#1455
Additional Details
Supersedes #5456
Differs from the previous PR in a few ways:
ALTER TABLEstatements to add new columns; The ORM takes care of adding new columns automatically.VulnerabilityUtil#getSeveritymethods. Instead update all call sites to use the new method signature. We're the only consumers of these methods, no need to keep things backward-compatible.UpgradeItemto reset the watermarks for vulnerability sources that use incremental mirroring. Necessary to enable backfill of CVSSv4 data.Checklist
This PR fixes a defect, and I have provided tests to verify that the fix is effectiveThis PR introduces changes to the database model, and I have added corresponding update logicThis PR introduces new or alters existing behavior, and I have updated the documentation accordingly