Include CVSS vectors and metadata in Finding model#5844
Include CVSS vectors and metadata in Finding model#5844AndreVirtimo wants to merge 1 commit intoDependencyTrack:masterfrom
Conversation
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
Is this a flaky test? On my local machine the test |
|
Yeah the test seems flaky. I restarted the test workflow. |
|
@nscuro do you have an idea why this test is failing? |
|
@AndreVirtimo Yes, I fixed it via #5859. Please rebase with |
Coverage summary from CodacySee diff coverage on Codacy
Coverage variation details
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: Diff coverage details
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: See your quality gate settings Change summary preferences |
Expand the Finding and GroupedFinding objects to include all CVSS vectors (v2, v3, and v4) as well as the OWASP RR vector. Additionally, external references and vulnerability publication dates are included. These fields are now available via the API and in the Finding Packaging Format (FPF) export. Currently, findings only include numerical scores, which prevents downstream systems like DefectDojo from performing deep vector-based risk assessments. Including advisory links and publication dates further improves vulnerability context and SLA tracking in external management platforms. The addition of all available vectors enhances this capability significantly. SQL queries, internal mappings (Finding, GroupedFinding), and the persistence layer (FindingsSearchQueryManager) were adjusted to support these new fields. The test suite was updated to ensure compatibility with the modified data structure and shifted result set indices after resolving merge conflicts from the integration of CVSSv4 support. Signed-off-by: Andre Schlegel-Tylla <andre.schlegel-tylla@virtimo.de>
AndreVirtimo
force-pushed
the
feature/issue-5843
branch
from
584182b to
80b43d1
Compare
|
I've rebased the PR to include the CVSS v4 and OWASP RR vectors. Once this is accepted, I'll submit another PR to update the DefectDojo parser. |
Description
This PR enhances the Finding model to include critical vulnerability metadata previously missing from API responses and the Finding Packaging Format (FPF) export. It specifically adds CVSS v2/v3 vectors, external references, and the vulnerability publication date to the findings data structure. These additions are necessary to provide better context for downstream integrations, such as DefectDojo, which rely on vector strings for accurate risk assessment and publication dates for SLA tracking.
Addressed Issue
Closes #5843
Additional Details
To implement this enhancement, the following technical adjustments were made:
SQL Updates: The QUERY and QUERY_ALL_FINDINGS constants in Finding.java were expanded to select the new columns from the VULNERABILITY table.
Index Management: Because the result set from the SQL queries is handled as a flat Object[], indices in the Finding constructor and FindingsSearchQueryManager were shifted to accommodate the new columns.
Persistence Layer: FindingsSearchQueryManager was updated to correctly map the project UUID from the new index and include the new fields in the GROUP BY clause for grouped finding queries.
Test Maintenance: The test suite (FindingTest, FindingPackagingFormatTest, and FindingResourceTest) was updated to match the new constructor signatures and verify that the enriched data is correctly serialized in API responses.
Checklist