Describe the bug
With v9.0.2, the exploitabilityScore and impactScore fields within cvssv2 and cvssv3 are no longer available in the generated reports. I checked in the xml and json variants comparing between v8.4.3 and v9.0.2. v8.4.3 still contained these values.
Version of dependency-check used
v9.0.2
Additional context
Taking one cve as an example (CVE-2014-3600) I checked in the h2 database if the value is present, which is the case. So the value is being retrieved correctly from the nvd api.
Looking at the code and the template (focusing on the json one), the OpenVulnerabilityProject's Cvssv3 object contains these fields, however the template appears to be looking for them in the cvssData field as seen here. This also seems to be the case for cvssv2.
Describe the bug
With v9.0.2, the exploitabilityScore and impactScore fields within cvssv2 and cvssv3 are no longer available in the generated reports. I checked in the xml and json variants comparing between v8.4.3 and v9.0.2. v8.4.3 still contained these values.
Version of dependency-check used
v9.0.2
Additional context
Taking one cve as an example (CVE-2014-3600) I checked in the h2 database if the value is present, which is the case. So the value is being retrieved correctly from the nvd api.
Looking at the code and the template (focusing on the json one), the OpenVulnerabilityProject's Cvssv3 object contains these fields, however the template appears to be looking for them in the cvssData field as seen here. This also seems to be the case for cvssv2.