feat: Include all CVSS and OWASP RR vectors in Finding model

Expand the Finding and GroupedFinding objects to include all CVSS vectors
(v2, v3, and v4) as well as the OWASP RR vector. Additionally, external
references and vulnerability publication dates are included. These fields
are now available via the API and in the Finding Packaging Format (FPF)
export.

Currently, findings only include numerical scores, which prevents
downstream systems like DefectDojo from performing deep vector-based
risk assessments. Including advisory links and publication dates further
improves vulnerability context and SLA tracking in external management
platforms. The addition of all available vectors enhances this
capability significantly.

SQL queries, internal mappings (Finding, GroupedFinding), and the
persistence layer (FindingsSearchQueryManager) were adjusted to support
these new fields. The test suite was updated to ensure compatibility
with the modified data structure and shifted result set indices after
resolving merge conflicts from the integration of CVSSv4 support.

Signed-off-by: Andre Schlegel-Tylla <andre.schlegel-tylla@virtimo.de>

Author: AndreVirtimo

src/main/java/org/dependencytrack/model/Finding.java

@@ -76,14 +76,20 @@ public class Finding implements Serializable {
                  , "VULNERABILITY"."RECOMMENDATION"
                  , "VULNERABILITY"."SEVERITY"
                  , "VULNERABILITY"."CVSSV2BASESCORE"
+                 , "VULNERABILITY"."CVSSV2VECTOR"
                  , "VULNERABILITY"."CVSSV3BASESCORE"
+                 , "VULNERABILITY"."CVSSV3VECTOR"
                  , "VULNERABILITY"."CVSSV4SCORE"
+                 , "VULNERABILITY"."CVSSV4VECTOR"
                  , "VULNERABILITY"."OWASPRRLIKELIHOODSCORE"
                  , "VULNERABILITY"."OWASPRRTECHNICALIMPACTSCORE"
                  , "VULNERABILITY"."OWASPRRBUSINESSIMPACTSCORE"
+                 , "VULNERABILITY"."OWASPRRVECTOR"
                  , "VULNERABILITY"."EPSSSCORE"
                  , "VULNERABILITY"."EPSSPERCENTILE"
                  , "VULNERABILITY"."CWES"
+                 , "VULNERABILITY"."REFERENCES"
+                 , "VULNERABILITY"."PUBLISHED"
                  , "FINDINGATTRIBUTION"."ANALYZERIDENTITY"
                  , "FINDINGATTRIBUTION"."ATTRIBUTED_ON"
                  , "FINDINGATTRIBUTION"."ALT_ID"
@@ -125,21 +131,26 @@ public class Finding implements Serializable {
                  , "VULNERABILITY"."RECOMMENDATION"
                  , "VULNERABILITY"."SEVERITY"
                  , "VULNERABILITY"."CVSSV2BASESCORE"
+                 , "VULNERABILITY"."CVSSV2VECTOR"
                  , "VULNERABILITY"."CVSSV3BASESCORE"
+                 , "VULNERABILITY"."CVSSV3VECTOR"
                  , "VULNERABILITY"."CVSSV4SCORE"
+                 , "VULNERABILITY"."CVSSV4VECTOR"
                  , "VULNERABILITY"."OWASPRRLIKELIHOODSCORE"
                  , "VULNERABILITY"."OWASPRRTECHNICALIMPACTSCORE"
                  , "VULNERABILITY"."OWASPRRBUSINESSIMPACTSCORE"
+                 , "VULNERABILITY"."OWASPRRVECTOR"
                  , "VULNERABILITY"."EPSSSCORE"
                  , "VULNERABILITY"."EPSSPERCENTILE"
                  , "VULNERABILITY"."CWES"
+                 , "VULNERABILITY"."REFERENCES"
+                 , "VULNERABILITY"."PUBLISHED"
                  , "FINDINGATTRIBUTION"."ANALYZERIDENTITY"
                  , "FINDINGATTRIBUTION"."ATTRIBUTED_ON"
                  , "FINDINGATTRIBUTION"."ALT_ID"
                  , "FINDINGATTRIBUTION"."REFERENCE_URL"
                  , "ANALYSIS"."STATE"
                  , "ANALYSIS"."SUPPRESSED"
-                 , "VULNERABILITY"."PUBLISHED"
                  , "PROJECT"."UUID"
                  , "PROJECT"."NAME"
                  , "PROJECT"."VERSION"
@@ -197,35 +208,47 @@ public Finding(UUID project, Object... o) {
         } else {
             optValue(vulnerability, "recommendation", o[13]);
         }
-        final Severity severity = VulnerabilityUtil.getSeverity(o[14], (BigDecimal) o[15], (BigDecimal) o[16], (BigDecimal) o[17], (BigDecimal) o[18], (BigDecimal) o[19], (BigDecimal) o[20]);
+        final Severity severity = VulnerabilityUtil.getSeverity(o[14], (BigDecimal) o[15], (BigDecimal) o[17], (BigDecimal) o[19], (BigDecimal) o[21], (BigDecimal) o[22], (BigDecimal) o[23]);
         optValue(vulnerability, "cvssV2BaseScore", o[15]);
-        optValue(vulnerability, "cvssV3BaseScore", o[16]);
-        optValue(vulnerability, "cvssV4Score", o[17]);
-        optValue(vulnerability, "owaspLikelihoodScore", o[18]);
-        optValue(vulnerability, "owaspTechnicalImpactScore", o[19]);
-        optValue(vulnerability, "owaspBusinessImpactScore", o[20]);
+        optValue(vulnerability, "cvssV2Vector", o[16]);
+        optValue(vulnerability, "cvssV3BaseScore", o[17]);
+        optValue(vulnerability, "cvssV3Vector", o[18]);
+        optValue(vulnerability, "cvssV4Score", o[19]);
+        optValue(vulnerability, "cvssV4Vector", o[20]);
+        optValue(vulnerability, "owaspLikelihoodScore", o[21]);
+        optValue(vulnerability, "owaspTechnicalImpactScore", o[22]);
+        optValue(vulnerability, "owaspBusinessImpactScore", o[23]);
+        optValue(vulnerability, "owaspRRVector", o[24]);
         optValue(vulnerability, "severity", severity.name());
         optValue(vulnerability, "severityRank", severity.ordinal());
-        optValue(vulnerability, "epssScore", o[21]);
-        optValue(vulnerability, "epssPercentile", o[22]);
-        final List<Cwe> cwes = getCwes(o[23]);
+        optValue(vulnerability, "epssScore", o[25]);
+        optValue(vulnerability, "epssPercentile", o[26]);
+        final List<Cwe> cwes = getCwes(o[27]);
         if (cwes != null && !cwes.isEmpty()) {
             // Ensure backwards-compatibility with DT < 4.5.0. Remove this in v5!
             optValue(vulnerability, "cweId", cwes.get(0).getCweId());
             optValue(vulnerability, "cweName", cwes.get(0).getName());
         }
         optValue(vulnerability, "cwes", cwes);
-        optValue(attribution, "analyzerIdentity", o[24]);
-        optValue(attribution, "attributedOn", o[25]);
-        optValue(attribution, "alternateIdentifier", o[26]);
-        optValue(attribution, "referenceUrl", o[27]);
 
-        optValue(analysis, "state", o[28]);
-        optValue(analysis, "isSuppressed", o[29], false);
-        if (o.length > 31) {
-            optValue(vulnerability, "published", o[30]);
-            optValue(component, "projectName", o[32]);
-            optValue(component, "projectVersion", o[33]);
+        if (o[28] instanceof final Clob clob) {
+            optValue(vulnerability, "references", toString(clob));
+        } else {
+            optValue(vulnerability, "references", o[28]);
+        }
+        optValue(vulnerability, "published", o[29]);
+
+        optValue(attribution, "analyzerIdentity", o[30]);
+        optValue(attribution, "attributedOn", o[31]);
+        optValue(attribution, "alternateIdentifier", o[32]);
+        optValue(attribution, "referenceUrl", o[33]);
+
+        optValue(analysis, "state", o[34]);
+        optValue(analysis, "isSuppressed", o[35], false);
+
+        if (o.length > 36) {
+            optValue(component, "projectName", o[37]);
+            optValue(component, "projectVersion", o[38]);
         }
     }
 

src/main/java/org/dependencytrack/persistence/FindingsSearchQueryManager.java

@@ -137,7 +137,7 @@ public PaginatedResult getAllFindings(final Map<String, String> filters, final b
         final List<Object[]> list = totalList.subList(this.pagination.getOffset(), Math.min(this.pagination.getOffset() + this.pagination.getLimit(), totalList.size()));
         final List<Finding> findings = new ArrayList<>();
         for (final Object[] o : list) {
-            final Finding finding = new Finding(UUID.fromString((String) o[31]), o);
+            final Finding finding = new Finding(UUID.fromString((String) o[36]), o);
             final Component component = getObjectByUuid(Component.class, (String) finding.getComponent().get("uuid"));
             final Vulnerability vulnerability = getObjectByUuid(Vulnerability.class, (String) finding.getVulnerability().get("uuid"));
             final Analysis analysis = getAnalysis(component, vulnerability);
@@ -147,6 +147,12 @@ public PaginatedResult getAllFindings(final Map<String, String> filters, final b
             // These are CLOB fields. Handle these here so that database-specific deserialization doesn't need to be performed (in Finding)
             finding.getVulnerability().put("description", vulnerability.getDescription());
             finding.getVulnerability().put("recommendation", vulnerability.getRecommendation());
+            finding.getVulnerability().put("references", vulnerability.getReferences());
+            finding.getVulnerability().put("cvssV2Vector", vulnerability.getCvssV2Vector());
+            finding.getVulnerability().put("cvssV3Vector", vulnerability.getCvssV3Vector());
+            finding.getVulnerability().put("cvssV4Vector", vulnerability.getCvssV4Vector());
+            finding.getVulnerability().put("owaspRRVector", vulnerability.getOwaspRRVector());
+
             final PackageURL purl = component.getPurl();
             if (purl != null) {
                 final RepositoryType type = RepositoryType.resolve(purl);
@@ -255,16 +261,21 @@ private void processFilters(Map<String, String> filters, StringBuilder queryFilt
                            , "VULNERABILITY"."TITLE"
                            , "VULNERABILITY"."SEVERITY"
                            , "VULNERABILITY"."CVSSV2BASESCORE"
+                           , "VULNERABILITY"."CVSSV2VECTOR"
                            , "VULNERABILITY"."CVSSV3BASESCORE"
+                           , "VULNERABILITY"."CVSSV3VECTOR"
                            , "VULNERABILITY"."CVSSV4SCORE"
+                           , "VULNERABILITY"."CVSSV4VECTOR"
                            , "VULNERABILITY"."EPSSSCORE"
                            , "VULNERABILITY"."EPSSPERCENTILE"
                            , "VULNERABILITY"."OWASPRRLIKELIHOODSCORE"
                            , "VULNERABILITY"."OWASPRRTECHNICALIMPACTSCORE"
                            , "VULNERABILITY"."OWASPRRBUSINESSIMPACTSCORE"
+                           , "VULNERABILITY"."OWASPRRVECTOR"
                            , "FINDINGATTRIBUTION"."ANALYZERIDENTITY"
                            , "VULNERABILITY"."PUBLISHED"
                            , "VULNERABILITY"."CWES"
+                           , "VULNERABILITY"."REFERENCES"
                     """);
             StringBuilder aggregateFilter = new StringBuilder();
             processAggregateFilters(filters, aggregateFilter, params);

src/test/java/org/dependencytrack/integrations/FindingPackagingFormatTest.java

@@ -70,15 +70,57 @@ void testFindingsVulnerabilityAndAliases() {
 
         Finding findingWithoutAlias = new Finding(project.getUuid(), "component-uuid-1", "component-name-1", "component-group",
                 "component-version", "Optional","component-purl", "component-cpe", "vuln-uuid", Vulnerability.Source.GITHUB, "vuln-vulnId-1", "vuln-title",
-                "vuln-subtitle", "vuln-description", "vuln-recommendation", Severity.CRITICAL, BigDecimal.valueOf(7.2), BigDecimal.valueOf(8.4),
-                null, BigDecimal.valueOf(1.25), BigDecimal.valueOf(1.75), BigDecimal.valueOf(1.3),
-                "0.5", "0.9", null, AnalyzerIdentity.OSSINDEX_ANALYZER, new Date(), null, null, AnalysisState.NOT_AFFECTED, true);
+                "vuln-subtitle", "vuln-description", "vuln-recommendation",
+                Severity.CRITICAL, // 14
+                BigDecimal.valueOf(7.2), // 15
+                "vector2", // 16
+                BigDecimal.valueOf(8.4), // 17
+                "vector3", // 18
+                null, // 19
+                null, // 20
+                BigDecimal.valueOf(1.25), // 21
+                BigDecimal.valueOf(1.75), // 22
+                BigDecimal.valueOf(1.3), // 23
+                null, // 24
+                BigDecimal.valueOf(0.5), // 25
+                BigDecimal.valueOf(0.9), // 26
+                "787", // 27
+                "references", // 28
+                new Date(), // 29
+                AnalyzerIdentity.OSSINDEX_ANALYZER, // 30
+                new Date(), // 31
+                null, // 32
+                null, // 33
+                AnalysisState.NOT_AFFECTED, // 34
+                true // 35
+        );
 
         Finding findingWithAlias = new Finding(project.getUuid(), "component-uuid-2", "component-name-2", "component-group",
                 "component-version", "Required","component-purl", "component-cpe", "vuln-uuid", Vulnerability.Source.NVD, "vuln-vulnId-2", "vuln-title",
-                "vuln-subtitle", "vuln-description", "vuln-recommendation", Severity.HIGH, BigDecimal.valueOf(7.2), BigDecimal.valueOf(8.4),
-                null, BigDecimal.valueOf(1.25), BigDecimal.valueOf(1.75), BigDecimal.valueOf(1.3),
-                "0.5", "0.9", null, AnalyzerIdentity.INTERNAL_ANALYZER, new Date(), null, null, AnalysisState.NOT_AFFECTED, true);
+                "vuln-subtitle", "vuln-description", "vuln-recommendation",
+                Severity.HIGH, // 14
+                BigDecimal.valueOf(7.2), // 15
+                "vector2", // 16
+                BigDecimal.valueOf(8.4), // 17
+                "vector3", // 18
+                null, // 19
+                null, // 20
+                BigDecimal.valueOf(1.25), // 21
+                BigDecimal.valueOf(1.75), // 22
+                BigDecimal.valueOf(1.3), // 23
+                null, // 24
+                BigDecimal.valueOf(0.5), // 25
+                BigDecimal.valueOf(0.9), // 26
+                "787", // 27
+                "references", // 28
+                new Date(), // 29
+                AnalyzerIdentity.INTERNAL_ANALYZER, // 30
+                new Date(), // 31
+                null, // 32
+                null, // 33
+                AnalysisState.NOT_AFFECTED, // 34
+                true // 35
+        );
 
         var alias = new VulnerabilityAlias();
         alias.setCveId("someCveId");

src/test/java/org/dependencytrack/model/FindingTest.java

@@ -36,9 +36,30 @@ class FindingTest extends PersistenceCapableTest {
     private final Date attributedOn = new Date();
     private final Finding finding = new Finding(projectUuid, "component-uuid", "component-name", "component-group",
             "component-version", "Required","component-purl", "component-cpe", "vuln-uuid", "vuln-source", "vuln-vulnId", "vuln-title",
-            "vuln-subtitle", "vuln-description", "vuln-recommendation", Severity.HIGH, BigDecimal.valueOf(7.2), BigDecimal.valueOf(8.4),
-            BigDecimal.valueOf(9.2), BigDecimal.valueOf(1.25), BigDecimal.valueOf(1.75), BigDecimal.valueOf(1.3),
-            "0.5", "0.9", null, AnalyzerIdentity.INTERNAL_ANALYZER, attributedOn, null, null, AnalysisState.NOT_AFFECTED, true);
+            "vuln-subtitle", "vuln-description", "vuln-recommendation",
+            Severity.HIGH, // 14
+            BigDecimal.valueOf(7.2), // 15
+            "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P", // 16
+            BigDecimal.valueOf(8.4), // 17
+            "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", // 18
+            BigDecimal.valueOf(9.2), // 19
+            "CVSS:4.0/...", // 20
+            BigDecimal.valueOf(1.25), // 21
+            BigDecimal.valueOf(1.75), // 22
+            BigDecimal.valueOf(1.3), // 23
+            "OWASP_VECTOR", // 24
+            BigDecimal.valueOf(0.5), // 25
+            BigDecimal.valueOf(0.9), // 26
+            "787,79", // 27
+            "vuln-references", // 28
+            attributedOn, // 29
+            AnalyzerIdentity.INTERNAL_ANALYZER, // 30
+            attributedOn, // 31
+            null, // 32
+            null, // 33
+            AnalysisState.NOT_AFFECTED, // 34
+            true // 35
+    );
 
     @Test
     void testComponent() {
@@ -61,13 +82,19 @@ void testVulnerability() {
         //Assertions.assertEquals("vuln-description", map.get("description"));
         //Assertions.assertEquals("vuln-recommendation", map.get("recommendation"));
         Assertions.assertEquals(BigDecimal.valueOf(7.2), map.get("cvssV2BaseScore"));
+        Assertions.assertEquals("CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P", map.get("cvssV2Vector"));
         Assertions.assertEquals(BigDecimal.valueOf(8.4), map.get("cvssV3BaseScore"));
+        Assertions.assertEquals("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", map.get("cvssV3Vector"));
         Assertions.assertEquals(BigDecimal.valueOf(9.2), map.get("cvssV4Score"));
+        Assertions.assertEquals("CVSS:4.0/...", map.get("cvssV4Vector"));
         Assertions.assertEquals(BigDecimal.valueOf(1.25), map.get("owaspLikelihoodScore"));
         Assertions.assertEquals(BigDecimal.valueOf(1.75), map.get("owaspTechnicalImpactScore"));
         Assertions.assertEquals(BigDecimal.valueOf(1.3), map.get("owaspBusinessImpactScore"));
+        Assertions.assertEquals("OWASP_VECTOR", map.get("owaspRRVector"));
         Assertions.assertEquals(Severity.HIGH.name(), map.get("severity"));
         Assertions.assertEquals(1, map.get("severityRank"));
+        Assertions.assertEquals("vuln-references", map.get("references"));
+        Assertions.assertEquals(attributedOn, map.get("published"));
     }
 
     @Test
@@ -103,5 +130,4 @@ void testGetCwesWhenInputIsEmpty() {
     void testGetCwesWhenInputIsNull() {
         assertThat(Finding.getCwes(null)).isNull();
     }
-
 }