Describe the bug
When reporting issue sonatype-2020-0739, Dependency Check parses it as CVSS2 with missing fields while the sonatype shows a CVSS 3.1 with all the fields present.
The json produced contains:
"cvssv2": {
"score": 9.8,
"accessVector": "N",
"accessComplexity": "L",
"authenticationr": "$enc.json($vuln.cvssV2.authentication)",
"confidentialImpact": "H",
"integrityImpact": "H",
"availabilityImpact": "H",
"severity": "HIGH"
},
Version of dependency-check used
The problem occurs using version 7.3.0 of the cli
Log file
https://files.meurisse.org/depcheck.log
To Reproduce
Steps to reproduce the behavior:
- Create an empty folder
- Inside, run the command
npm init && npm i [email protected]
- Run
dependency-check.sh --project test -s . --log test.log
- Inspect the generated JSON
Expected behavior
The json should contain something like:
"cvssv3": {
"baseScore": 9.8,
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseSeverity": "HIGH",
"exploitabilityScore": "3.9",
"impactScore": "5.9",
"version": "3.1"
},
Describe the bug
When reporting issue sonatype-2020-0739, Dependency Check parses it as CVSS2 with missing fields while the sonatype shows a CVSS 3.1 with all the fields present.
The json produced contains:
Version of dependency-check used
The problem occurs using version 7.3.0 of the cli
Log file
https://files.meurisse.org/depcheck.log
To Reproduce
Steps to reproduce the behavior:
npm init && npm i [email protected]dependency-check.sh --project test -s . --log test.logExpected behavior
The json should contain something like: