fix: Correct parsing of Provider Urgency from CVSSv4 vector strings#101
Conversation
chadlwilson
changed the title
There was a problem hiding this comment.
Pull request overview
Fixes CVSS v4 Provider Urgency parsing to correctly handle the spec’s vector-string tokens (e.g., Clear, Green, Amber, Red) while preserving X/x -> NOT_DEFINED handling, preventing IllegalArgumentException when encountering title-case inputs.
Changes:
- Update
ProviderUrgencyType.fromValueto mapX/xtoNOT_DEFINEDdirectly. - Make Provider Urgency parsing lenient for vector strings by doing a case-insensitive lookup (via uppercasing) for
Clear/Green/Amber/Red.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
LGTM but I realized there are no unit tests for |
|
Yeah, there's very few tests for anything in the marshalling. I mean, I can, but testing 1 out of hundreds of fields isnt much of a start. |
|
We gotta start somewhere 🤓 If I were asked to do that, I'd ask Claude for help as it's mostly mechanical and data-driven (→ parameterized tests). If you like, I could attach a proposal here. |
|
Yeah, I was just being lazy when I discovered there were no existing tests since I tested directly with ODC's tests locally. Fair call out though. I have a separate follow-up PR to consolidate the duplicated logic here that made the testing easier, but I'll pull something in here. |
chadlwilson
force-pushed
the
fix-provider-urgency-type-vector-parsing
branch
from
6af6209 to
f4ceccd
Compare
The spec does not denote shorthand representations for anything except X/NOT_DEFINED; and instead has title case values `[X,Clear,Green,Amber,Red]`. Since we do case-insensitive matches to the single char variants right now (which is not strictly as in spec) and these methods seem intended to be helpful rather than strict, it seems OK and simplest to do a case-insensitive compare rather than normalizing to title case for comparison.
chadlwilson
force-pushed
the
fix-provider-urgency-type-vector-parsing
branch
from
f4ceccd to
54ccb9d
Compare
There was a problem hiding this comment.
Pull request overview
This PR fixes parsing of the CVSSv4 Provider Urgency metric when vector strings provide title-cased values like Amber, aligning with the spec and addressing the downstream error reported in #100 / dependency-check#8376.
Changes:
- Update
ProviderUrgencyType.fromValueto accept case-insensitive (vector) inputs likeAmber/amberwhile still mappingX/xtoNOT_DEFINED. - Add parameterized test coverage for CVSS v2/v3/v4 enum
fromValuemappings, including vector-string parsing and “not defined” handling. - Add shared enum test utilities to reduce duplication across CVSS test suites.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
src/main/java/io/github/jeremylong/openvulnerability/client/nvd/CvssV4Data.java |
Makes Provider Urgency parsing tolerant of title-cased / mixed-cased vector-string inputs. |
src/test/java/io/github/jeremylong/openvulnerability/client/nvd/CvssV4DataTest.java |
Adds CVSSv4 enum mapping tests, including case-insensitive vector parsing coverage. |
src/test/java/io/github/jeremylong/openvulnerability/client/nvd/CvssV3DataTest.java |
Adds CVSSv3 enum mapping tests for canonical, vector, not-defined, and invalid values. |
src/test/java/io/github/jeremylong/openvulnerability/client/nvd/CvssV2DataTest.java |
Adds CVSSv2 enum mapping tests for canonical, vector, not-defined, and invalid values. |
src/test/java/io/github/jeremylong/openvulnerability/client/nvd/CvssEnumTestSupport.java |
Introduces shared helper methods for enum mapping assertions across CVSS tests. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
chadlwilson
force-pushed
the
fix-provider-urgency-type-vector-parsing
branch
from
54ccb9d to
7818291
Compare
chadlwilson
force-pushed
the
fix-provider-urgency-type-vector-parsing
branch
from
7818291 to
eee55f2
Compare
As noted more fully at #100 (comment) the spec does not denote Provider Urgency shorthand representations for vector strings for anything except
X->NOT_DEFINED; and instead has title case values[X,Clear,Green,Amber,Red].Since we do case-insensitive matches to the single char variants right now (which is not strictly in spec) and these methods seem intended to be helpful rather than strict, it seems OK and simplest to do a case-insensitive compare rather than normalizing to title case for comparison.