Vulnerability Reports with CVSSV4 data cannot be parsed #1038
Description
Describe the bug
When the JSON report of the dependency-check-maven-plugin contains a CVE with CVSSV4 data, this report cannot be parsed from the maven-sonar-plugin and the dependency-check sensor. No information from dependency-check is visible in SonarQube.
To Reproduce
Have a CVE in the scanned project with CVSSV4 data, e.g. CVE-2024-8391
Current behavior
The JSON report from the dependency-check-maven-plugin cannot be parsed from the sonar-maven-plugin and dependency-check scanner.
Expected behavior
The JSON report can be parsed and is shown in SonarQube.
Screenshots
No screenshots, but logs from the sonar-maven-plugin:
16:35:05 [INFO] Sensor Dependency-Check [dependencycheck]
16:35:05 [INFO] Dependency-Check - Start
16:35:05 [INFO] Using JSON-Reportparser
16:35:05 [WARNING] JSON-Analysis aborted
16:35:05 [DEBUG] Problem with JSON-Report-Mapping
16:35:05 org.sonar.dependencycheck.parser.ReportParserException: Problem with JSON-Report-Mapping
16:35:05 at org.sonar.dependencycheck.parser.JsonReportParserHelper.parse(JsonReportParserHelper.java:44)
16:35:05 at org.sonar.dependencycheck.DependencyCheckSensor.parseAnalysis(DependencyCheckSensor.java:67)
16:35:05 at org.sonar.dependencycheck.DependencyCheckSensor.execute(DependencyCheckSensor.java:129)
16:35:05 at org.sonar.scanner.sensor.AbstractSensorWrapper.analyse(AbstractSensorWrapper.java:64)
16:35:05 at org.sonar.scanner.sensor.ProjectSensorsExecutor.execute(ProjectSensorsExecutor.java:52)
16:35:05 at org.sonar.scanner.scan.SpringProjectScanContainer.doAfterStart(SpringProjectScanContainer.java:176)
16:35:05 at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:226)
16:35:05 at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:205)
16:35:05 at org.sonar.scanner.bootstrap.SpringScannerContainer.doAfterStart(SpringScannerContainer.java:351)
16:35:05 at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:226)
16:35:05 at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:205)
16:35:05 at org.sonar.scanner.bootstrap.SpringGlobalContainer.doAfterStart(SpringGlobalContainer.java:144)
16:35:05 at org.sonar.core.platform.SpringComponentContainer.startComponents(SpringComponentContainer.java:226)
16:35:05 at org.sonar.core.platform.SpringComponentContainer.execute(SpringComponentContainer.java:205)
16:35:05 at org.sonar.scanner.bootstrap.ScannerMain.runScannerEngine(ScannerMain.java:149)
16:35:05 at org.sonar.scanner.bootstrap.ScannerMain.run(ScannerMain.java:66)
16:35:05 at org.sonar.scanner.bootstrap.ScannerMain.main(ScannerMain.java:52)
16:35:05 Caused by: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "cvssv4" (class org.sonar.dependencycheck.parser.element.Vulnerability), not marked as ignorable (7 known properties: "cvssv3", "cwes", "name", "description", "severity", "cvssv2", "source"])
16:35:05 at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 1222804] (through reference chain: org.sonar.dependencycheck.parser.element.Analysis["dependencies"]->java.util.ArrayList[191]->org.sonar.dependencycheck.parser.element.Dependency["vulnerabilities"]->java.util.ArrayList[0]->org.sonar.dependencycheck.parser.element.Vulnerability["cvssv4"])
16:35:05 at com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException.from(UnrecognizedPropertyException.java:61)
16:35:05 at com.fasterxml.jackson.databind.DeserializationContext.handleUnknownProperty(DeserializationContext.java:1153)
16:35:05 at com.fasterxml.jackson.databind.deser.std.StdDeserializer.handleUnknownProperty(StdDeserializer.java:2224)
16:35:05 at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownProperty(BeanDeserializerBase.java:1793)
16:35:05 at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.handleUnknownProperties(BeanDeserializerBase.java:1743)
16:35:05 at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeUsingPropertyBased(BeanDeserializer.java:546)
16:35:05 at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromObjectUsingNonDefault(BeanDeserializerBase.java:1493)
16:35:05 at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:348)
16:35:05 at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:185)
16:35:05 at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer._deserializeFromArray(CollectionDeserializer.java:359)
16:35:05 at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:244)
16:35:05 at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:28)
16:35:05 at com.fasterxml.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:545)
16:35:05 at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeWithErrorWrapping(BeanDeserializer.java:570)
16:35:05 at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeUsingPropertyBased(BeanDeserializer.java:440)
16:35:05 at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromObjectUsingNonDefault(BeanDeserializerBase.java:1493)
16:35:05 at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:348)
16:35:05 at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:185)
16:35:05 at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer._deserializeFromArray(CollectionDeserializer.java:359)
16:35:05 at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:244)
16:35:05 at com.fasterxml.jackson.databind.deser.std.CollectionDeserializer.deserialize(CollectionDeserializer.java:28)
16:35:05 at com.fasterxml.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:545)
16:35:05 at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeWithErrorWrapping(BeanDeserializer.java:570)
16:35:05 at com.fasterxml.jackson.databind.deser.BeanDeserializer._deserializeUsingPropertyBased(BeanDeserializer.java:440)
16:35:05 at com.fasterxml.jackson.databind.deser.BeanDeserializerBase.deserializeFromObjectUsingNonDefault(BeanDeserializerBase.java:1493)
16:35:05 at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:348)
16:35:05 at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:185)
16:35:05 at com.fasterxml.jackson.databind.deser.DefaultDeserializationContext.readRootValue(DefaultDeserializationContext.java:342)
16:35:05 at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4899)
16:35:05 at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3883)
16:35:05 at org.sonar.dependencycheck.parser.JsonReportParserHelper.parse(JsonReportParserHelper.java:40)
16:35:05 ... 16 common frames omitted
More logs can be provided if necessary.
Versions (please complete the following information):
- dependency-check: 12.0.2
- sonarqube: v10.7 (96327)
- dependency-check-sonar-plugin: 5.0.0
Additional context
This issue appeared after jeremylong/DependencyCheck#7343 was fixed in dependency-check 12.0.2.