Add CVSSv4 support to Dependency-Track

src/main/java/org/dependencytrack/model/Finding.java

@@ -77,6 +77,7 @@ public class Finding implements Serializable {
                  , "VULNERABILITY"."SEVERITY"
                  , "VULNERABILITY"."CVSSV2BASESCORE"
                  , "VULNERABILITY"."CVSSV3BASESCORE"
+                 , "VULNERABILITY"."CVSSV4BASESCORE"
                  , "VULNERABILITY"."OWASPRRLIKELIHOODSCORE"
                  , "VULNERABILITY"."OWASPRRTECHNICALIMPACTSCORE"
                  , "VULNERABILITY"."OWASPRRBUSINESSIMPACTSCORE"
@@ -125,6 +126,7 @@ public class Finding implements Serializable {
                  , "VULNERABILITY"."SEVERITY"
                  , "VULNERABILITY"."CVSSV2BASESCORE"
                  , "VULNERABILITY"."CVSSV3BASESCORE"
+                 , "VULNERABILITY"."CVSSV4BASESCORE"
                  , "VULNERABILITY"."OWASPRRLIKELIHOODSCORE"
                  , "VULNERABILITY"."OWASPRRTECHNICALIMPACTSCORE"
                  , "VULNERABILITY"."OWASPRRBUSINESSIMPACTSCORE"
@@ -195,34 +197,35 @@ public Finding(UUID project, Object... o) {
         } else {
             optValue(vulnerability, "recommendation", o[13]);
         }
-        final Severity severity = VulnerabilityUtil.getSeverity(o[14], (BigDecimal) o[15], (BigDecimal) o[16], (BigDecimal) o[17], (BigDecimal) o[18], (BigDecimal) o[19]);
+        final Severity severity = VulnerabilityUtil.getSeverity(o[14], (BigDecimal) o[15], (BigDecimal) o[16], (BigDecimal) o[17], (BigDecimal) o[18], (BigDecimal) o[19], (BigDecimal) o[20]);
         optValue(vulnerability, "cvssV2BaseScore", o[15]);
         optValue(vulnerability, "cvssV3BaseScore", o[16]);
-        optValue(vulnerability, "owaspLikelihoodScore", o[17]);
-        optValue(vulnerability, "owaspTechnicalImpactScore", o[18]);
-        optValue(vulnerability, "owaspBusinessImpactScore", o[19]);
+        optValue(vulnerability, "cvssV4BaseScore", o[17]);
+        optValue(vulnerability, "owaspLikelihoodScore", o[18]);
+        optValue(vulnerability, "owaspTechnicalImpactScore", o[19]);
+        optValue(vulnerability, "owaspBusinessImpactScore", o[20]);
         optValue(vulnerability, "severity", severity.name());
         optValue(vulnerability, "severityRank", severity.ordinal());
-        optValue(vulnerability, "epssScore", o[20]);
-        optValue(vulnerability, "epssPercentile", o[21]);
-        final List<Cwe> cwes = getCwes(o[22]);
+        optValue(vulnerability, "epssScore", o[21]);
+        optValue(vulnerability, "epssPercentile", o[22]);
+        final List<Cwe> cwes = getCwes(o[23]);
         if (cwes != null && !cwes.isEmpty()) {
             // Ensure backwards-compatibility with DT < 4.5.0. Remove this in v5!
-            optValue(vulnerability, "cweId", cwes.get(0).getCweId());
-            optValue(vulnerability, "cweName", cwes.get(0).getName());
+            optValue(vulnerability, "cweId", cwes.getFirst().getCweId());
+            optValue(vulnerability, "cweName", cwes.getFirst().getName());
         }
         optValue(vulnerability, "cwes", cwes);
-        optValue(attribution, "analyzerIdentity", o[23]);
-        optValue(attribution, "attributedOn", o[24]);
-        optValue(attribution, "alternateIdentifier", o[25]);
-        optValue(attribution, "referenceUrl", o[26]);
+        optValue(attribution, "analyzerIdentity", o[24]);
+        optValue(attribution, "attributedOn", o[25]);
+        optValue(attribution, "alternateIdentifier", o[26]);
+        optValue(attribution, "referenceUrl", o[27]);
 
-        optValue(analysis, "state", o[27]);
-        optValue(analysis, "isSuppressed", o[28], false);
-        if (o.length > 30) {
-            optValue(vulnerability, "published", o[29]);
-            optValue(component, "projectName", o[31]);
-            optValue(component, "projectVersion", o[32]);
+        optValue(analysis, "state", o[28]);
+        optValue(analysis, "isSuppressed", o[29], false);
+        if (o.length > 31) {
+            optValue(vulnerability, "published", o[30]);
+            optValue(component, "projectName", o[32]);
+            optValue(component, "projectVersion", o[33]);
         }
     }
 

src/main/java/org/dependencytrack/model/GroupedFinding.java

@@ -47,6 +47,7 @@ public class GroupedFinding implements Serializable {
                  , "VULNERABILITY"."SEVERITY"
                  , "VULNERABILITY"."CVSSV2BASESCORE"
                  , "VULNERABILITY"."CVSSV3BASESCORE"
+                 , "VULNERABILITY"."CVSSV4BASESCORE"
                  , "VULNERABILITY"."OWASPRRLIKELIHOODSCORE"
                  , "VULNERABILITY"."OWASPRRTECHNICALIMPACTSCORE"
                  , "VULNERABILITY"."OWASPRRBUSINESSIMPACTSCORE"
@@ -77,13 +78,14 @@ public GroupedFinding(Object ...o) {
         optValue(vulnerability, "source", o[0]);
         optValue(vulnerability, "vulnId", o[1]);
         optValue(vulnerability, "title", o[2]);
-        optValue(vulnerability, "severity", VulnerabilityUtil.getSeverity(o[3], (BigDecimal) o[4], (BigDecimal) o[5], (BigDecimal) o[6], (BigDecimal) o[7], (BigDecimal) o[8]));
+        optValue(vulnerability, "severity", VulnerabilityUtil.getSeverity(o[3], (BigDecimal) o[4], (BigDecimal) o[5], (BigDecimal) o[6], (BigDecimal) o[7], (BigDecimal) o[8], (BigDecimal) o[9]));
         optValue(vulnerability, "cvssV2BaseScore", o[4]);
         optValue(vulnerability, "cvssV3BaseScore", o[5]);
-        optValue(attribution, "analyzerIdentity", o[9]);
-        optValue(vulnerability, "published", o[10]);
-        optValue(vulnerability, "cwes", Finding.getCwes(o[11]));
-        optValue(vulnerability, "affectedProjectCount", o[12]);
+        optValue(vulnerability, "cvssV4BaseScore", o[6]);
+        optValue(attribution, "analyzerIdentity", o[10]);
+        optValue(vulnerability, "published", o[11]);
+        optValue(vulnerability, "cwes", Finding.getCwes(o[12]));
+        optValue(vulnerability, "affectedProjectCount", o[13]);
     }
 
     public Map<String, Object> getVulnerability() {

src/main/java/org/dependencytrack/model/Vulnerability.java

@@ -284,6 +284,24 @@ public static Source resolve(String id) {
     @Pattern(regexp = RegexSequence.Definition.PRINTABLE_CHARS_PLUS, message = "The CVSSv3 Vector may only contain printable characters")
     private String cvssV3Vector;
 
+    @Persistent
+    @Column(name = "CVSSV4BASESCORE", scale = 1)
+    private BigDecimal cvssV4BaseScore;
+
+    @Persistent
+    @Column(name = "CVSSV4THREATSCORE", scale = 1)
+    private BigDecimal cvssV4ThreatScore;
+
+    @Persistent
+    @Column(name = "CVSSV4ENVIRONMENTALSCORE", scale = 1)
+    private BigDecimal cvssV4EnvironmentalScore;
+
+    @Persistent
+    @Column(name = "CVSSV4VECTOR")
+    @JsonDeserialize(using = TrimmedStringDeserializer.class)
+    @Pattern(regexp = RegexSequence.Definition.PRINTABLE_CHARS_PLUS, message = "The CVSSv4 Vector may only contain printable characters")
+    private String cvssV4Vector;
+
     @Persistent
     @Column(name = "OWASPRRLIKELIHOODSCORE", scale = 1)
     private BigDecimal owaspRRLikelihoodScore;
@@ -643,6 +661,38 @@ public void setCvssV3Vector(String cvssV3Vector) {
         this.cvssV3Vector = cvssV3Vector;
     }
 
+    public BigDecimal getCvssV4BaseScore() {
+        return cvssV4BaseScore;
+    }
+
+    public void setCvssV4BaseScore(BigDecimal cvssV4BaseScore) {
+        this.cvssV4BaseScore = cvssV4BaseScore;
+    }
+
+    public BigDecimal getCvssV4ThreatScore() {
+        return cvssV4ThreatScore;
+    }
+
+    public void setCvssV4ThreatScore(BigDecimal cvssV4ThreatScore) {
+        this.cvssV4ThreatScore = cvssV4ThreatScore;
+    }
+
+    public BigDecimal getCvssV4EnvironmentalScore() {
+        return cvssV4EnvironmentalScore;
+    }
+
+    public void setCvssV4EnvironmentalScore(BigDecimal cvssV4EnvironmentalScore) {
+        this.cvssV4EnvironmentalScore = cvssV4EnvironmentalScore;
+    }
+
+    public String getCvssV4Vector() {
+        return cvssV4Vector;
+    }
+
+    public void setCvssV4Vector(String cvssV4Vector) {
+        this.cvssV4Vector = cvssV4Vector;
+    }
+
     public BigDecimal getEpssScore() {
         return epssScore;
     }
@@ -791,6 +841,25 @@ public void applyV3Score(CvssVector cvss) {
         setCvssV3Vector(cvss.toString());
     }
 
+    public void applyV4Score(CvssVector cvss) {
+        Objects.requireNonNull(cvss, "CVSS vector cannot be null");
+
+        final var score = cvss.getBakedScores();
+        setCvssV4BaseScore(BigDecimal.valueOf(score.getBaseScore()));
+
+        final var threatScore = score.getThreatScore();
+        if (!Double.isNaN(threatScore)) {
+            setCvssV4ThreatScore(BigDecimal.valueOf(threatScore));
+        }
+
+        final var envScore = score.getEnvironmentalScore();
+        if (!Double.isNaN(envScore)) {
+            setCvssV4EnvironmentalScore(BigDecimal.valueOf(envScore));
+        }
+
+        setCvssV4Vector(cvss.toString());
+    }
+
     @Override
     public String toString() {
         return "Vulnerability(sourde=%s, vulnId=%s)".formatted(getSource(), getVulnId());

src/main/java/org/dependencytrack/parser/cyclonedx/util/ModelConverter.java

@@ -834,6 +834,18 @@ public static Service convert(final QueryManager qm, final ServiceComponent serv
         return cycloneService;
     }
 
+    private static org.cyclonedx.model.vulnerability.Vulnerability.Rating.Severity convertCvss3Or4ScoretoCdxSeverity(double score) {
+        if (score >= 9.0) {
+            return org.cyclonedx.model.vulnerability.Vulnerability.Rating.Severity.CRITICAL;
+        } else if (score >= 7.0) {
+            return org.cyclonedx.model.vulnerability.Vulnerability.Rating.Severity.HIGH;
+        } else if (score >= 4.0) {
+            return org.cyclonedx.model.vulnerability.Vulnerability.Rating.Severity.MEDIUM;
+        } else {
+            return org.cyclonedx.model.vulnerability.Vulnerability.Rating.Severity.LOW;
+        }
+    }
+
     public static org.cyclonedx.model.vulnerability.Vulnerability convert(final QueryManager qm, final CycloneDXExporter.Variant variant,
                                                                           final Finding finding) {
         final Component component = qm.getObjectByUuid(Component.class, (String)finding.getComponent().get("uuid"));
@@ -872,15 +884,16 @@ public static org.cyclonedx.model.vulnerability.Vulnerability convert(final Quer
             }
             rating.setScore(vulnerability.getCvssV3BaseScore().doubleValue());
             rating.setVector(vulnerability.getCvssV3Vector());
-            if (rating.getScore() >= 9.0) {
-                rating.setSeverity(org.cyclonedx.model.vulnerability.Vulnerability.Rating.Severity.CRITICAL);
-            } else if (rating.getScore() >= 7.0) {
-                rating.setSeverity(org.cyclonedx.model.vulnerability.Vulnerability.Rating.Severity.HIGH);
-            } else if (rating.getScore() >= 4.0) {
-                rating.setSeverity(org.cyclonedx.model.vulnerability.Vulnerability.Rating.Severity.MEDIUM);
-            } else {
-                rating.setSeverity(org.cyclonedx.model.vulnerability.Vulnerability.Rating.Severity.LOW);
-            }
+            rating.setSeverity(ModelConverter.convertCvss3Or4ScoretoCdxSeverity(rating.getScore()));
+            cdxVulnerability.addRating(rating);
+        }
+        if (vulnerability.getCvssV4BaseScore() != null) {
+            org.cyclonedx.model.vulnerability.Vulnerability.Rating rating = new org.cyclonedx.model.vulnerability.Vulnerability.Rating();
+            rating.setSource(convertDtVulnSourceToCdxVulnSource(Vulnerability.Source.valueOf(vulnerability.getSource())));
+            rating.setMethod(org.cyclonedx.model.vulnerability.Vulnerability.Rating.Method.CVSSV4);
+            rating.setScore(vulnerability.getCvssV4BaseScore().doubleValue());
+            rating.setVector(vulnerability.getCvssV4Vector());
+            rating.setSeverity(ModelConverter.convertCvss3Or4ScoretoCdxSeverity(rating.getScore()));
             cdxVulnerability.addRating(rating);
         }
         if (vulnerability.getOwaspRRLikelihoodScore() != null && vulnerability.getOwaspRRTechnicalImpactScore() != null && vulnerability.getOwaspRRBusinessImpactScore() != null) {
@@ -891,7 +904,7 @@ public static org.cyclonedx.model.vulnerability.Vulnerability convert(final Quer
             rating.setVector(vulnerability.getOwaspRRVector());
             cdxVulnerability.addRating(rating);
         }
-        if (vulnerability.getCvssV2BaseScore() == null && vulnerability.getCvssV3BaseScore() == null && vulnerability.getOwaspRRLikelihoodScore() == null) {
+        if (vulnerability.getCvssV2BaseScore() == null && vulnerability.getCvssV3BaseScore() == null && vulnerability.getCvssV4BaseScore() == null && vulnerability.getOwaspRRLikelihoodScore() == null) {
             org.cyclonedx.model.vulnerability.Vulnerability.Rating rating = new org.cyclonedx.model.vulnerability.Vulnerability.Rating();
             rating.setSeverity(convertDtSeverityToCdxSeverity(vulnerability.getSeverity()));
             rating.setSource(convertDtVulnSourceToCdxVulnSource(Vulnerability.Source.valueOf(vulnerability.getSource())));

src/main/java/org/dependencytrack/parser/github/ModelConverter.java

@@ -88,14 +88,19 @@
                     vuln.applyV3Score(parsedCvssV3);
                 }
             }
-
-            // TODO: advisory.getCvssSeverities().getCvssV4()
-            //  Requires CVSSv4 support in the DT data model.
+            final var cvssv4 = advisory.getCvssSeverities().getCvssV4();
+            if (cvssv4 != null) {
+                final var parsedCvssV4 = CvssUtil.parse(cvssv4.getVectorString());
+                if (parsedCvssV4 != null) {
+                    vuln.applyV4Score(parsedCvssV4);
+                }
+            }
 
             vuln.setSeverity(VulnerabilityUtil.getSeverity(
                     vuln.getSeverity(),
                     vuln.getCvssV2BaseScore(),
                     vuln.getCvssV3BaseScore(),
+                    vuln.getCvssV4BaseScore(),
                     vuln.getOwaspRRLikelihoodScore(),
                     vuln.getOwaspRRTechnicalImpactScore(),
                     vuln.getOwaspRRBusinessImpactScore()));

src/main/java/org/dependencytrack/parser/nvd/api20/ModelConverter.java

@@ -24,6 +24,7 @@
 import io.github.jeremylong.openvulnerability.client.nvd.CveItem;
 import io.github.jeremylong.openvulnerability.client.nvd.CvssV2;
 import io.github.jeremylong.openvulnerability.client.nvd.CvssV3;
+import io.github.jeremylong.openvulnerability.client.nvd.CvssV4;
 import io.github.jeremylong.openvulnerability.client.nvd.LangString;
 import io.github.jeremylong.openvulnerability.client.nvd.Metrics;
 import io.github.jeremylong.openvulnerability.client.nvd.Node;
@@ -169,9 +170,32 @@ private static void convertCvssMetrics(final Metrics metrics, final Vulnerabilit
             }
         }
 
+        if (metrics.getCvssMetricV40() != null && !metrics.getCvssMetricV40().isEmpty()) {
+            metrics.getCvssMetricV40().sort(comparingInt(metric -> metric.getType().ordinal()));
+
+            for (final CvssV4 metric : metrics.getCvssMetricV40()) {
+                final var cvss = CvssUtil.parse(metric.getCvssData().getVectorString());
+                vuln.setCvssV4Vector(cvss.toString());
+                vuln.setCvssV4BaseScore(BigDecimal.valueOf(metric.getCvssData().getBaseScore()));
+
+                final Double envScore = metric.getCvssData().getEnvironmentalScore();
+                if (envScore != null && !envScore.isNaN()) {
+                    vuln.setCvssV4EnvironmentalScore(BigDecimal.valueOf(envScore));
+                }
+
+                final Double threatScore = metric.getCvssData().getThreatScore();
+                if (threatScore != null && !threatScore.isNaN()) {
+                    vuln.setCvssV4ThreatScore(BigDecimal.valueOf(threatScore));
+                }
+
+                break;
+            }
+        }
+
         vuln.setSeverity(VulnerabilityUtil.getSeverity(
                 vuln.getCvssV2BaseScore(),
                 vuln.getCvssV3BaseScore(),
+                vuln.getCvssV4BaseScore(),
                 vuln.getOwaspRRLikelihoodScore(),
                 vuln.getOwaspRRTechnicalImpactScore(),
                 vuln.getOwaspRRBusinessImpactScore()

src/main/java/org/dependencytrack/parser/osv/OsvAdvisoryParser.java

@@ -96,6 +96,9 @@
                     final JSONObject cvss = cvssList.getJSONObject(i);
                     final String type = cvss.optString("type", null);
                     if (type == null) continue;
+                    if (type.equalsIgnoreCase("CVSS_V4")) {
+                        advisory.setCvssV4Vector(cvss.optString("score", null));
+                    }
                     if (type.equalsIgnoreCase("CVSS_V3")) {
                         advisory.setCvssV3Vector(cvss.optString("score", null));
                     }

src/main/java/org/dependencytrack/parser/osv/model/OsvAdvisory.java

@@ -54,6 +54,8 @@ public class OsvAdvisory {
 
     private String cvssV3Vector;
 
+    private String cvssV4Vector;
+
     public String getId() {
         return id;
     }
@@ -187,6 +189,14 @@ public void setCvssV3Vector(String cvssV3Vector) {
         this.cvssV3Vector = cvssV3Vector;
     }
 
+    public String getCvssV4Vector() {
+        return cvssV4Vector;
+    }
+
+    public void setCvssV4Vector(String cvssV4Vector) {
+        this.cvssV4Vector = cvssV4Vector;
+    }
+
     public List<String> getCredits() {
         return credits;
     }

src/main/java/org/dependencytrack/parser/trivy/TrivyParser.java

@@ -82,12 +82,16 @@ public Vulnerability setCvssScore(CVSS cvss, Vulnerability vulnerability) {
         if (cvss != null) {
             vulnerability.setCvssV2Vector(trimToNull(cvss.getV2Vector()));
             vulnerability.setCvssV3Vector(trimToNull(cvss.getV3Vector()));
+            vulnerability.setCvssV4Vector(trimToNull(cvss.getV40Vector()));
             if (cvss.getV2Score() > 0.0) {
                 vulnerability.setCvssV2BaseScore(BigDecimal.valueOf(cvss.getV2Score()));
             }
             if (cvss.getV3Score() > 0.0) {
                 vulnerability.setCvssV3BaseScore(BigDecimal.valueOf(cvss.getV3Score()));
             }
+            if (cvss.getV40Score() > 0.0) {
+                vulnerability.setCvssV4BaseScore(BigDecimal.valueOf(cvss.getV40Score()));
+            }
         }
 
         return vulnerability;

src/main/java/org/dependencytrack/parser/vulndb/ModelConverter.java

@@ -158,9 +158,13 @@ public static Vulnerability convert(final QueryManager qm, final org.dependencyt
                 break; // Always prefer use of the NVD scoring, if available
             }
         }
+
+        // TODO it doesn't look like VulnDB provides CVSSv4 metics yet.
+
         vuln.setSeverity(VulnerabilityUtil.getSeverity(
                 vuln.getCvssV2BaseScore(),
                 vuln.getCvssV3BaseScore(),
+                vuln.getCvssV4BaseScore(),
                 vuln.getOwaspRRLikelihoodScore(),
                 vuln.getOwaspRRTechnicalImpactScore(),
                 vuln.getOwaspRRBusinessImpactScore()