Skip to content

Commit 36543b5

Browse files
chadlwilsonchadlwilson
authored
fix: Correct CVSSv4 parsing for low precision OSSIndex values (#7935)
Signed-off-by: Chad Wilson <[email protected]>
1 parent ebee56e commit 36543b5

File tree

2 files changed

+80
-101
lines changed

2 files changed

+80
-101
lines changed

core/src/main/java/org/owasp/dependencycheck/utils/CvssUtil.java

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -229,14 +229,14 @@ public static CvssV3 vectorToCvssV3(String vectorString, Double baseScore) {
229229
return cvss;
230230
}
231231

232-
private static CvssV4Data.SeverityType toSeverityType(double baseScore) {
232+
public static CvssV4Data.SeverityType cvssV4ScoreToSeverity(double baseScore) {
233233
if (baseScore == 0.0) {
234234
return CvssV4Data.SeverityType.NONE;
235-
} else if (baseScore >= 0.1 && baseScore <= 3.9) {
235+
} else if (baseScore > 0.0 && baseScore < 4.0) {
236236
return CvssV4Data.SeverityType.LOW;
237-
} else if (baseScore >= 4.0 && baseScore <= 6.9) {
237+
} else if (baseScore >= 4.0 && baseScore < 7.0) {
238238
return CvssV4Data.SeverityType.MEDIUM;
239-
} else if (baseScore >= 7.0 && baseScore <= 8.9) {
239+
} else if (baseScore >= 7.0 && baseScore < 9.0) {
240240
return CvssV4Data.SeverityType.HIGH;
241241
} else if (baseScore >= 9.0 && baseScore <= 10.0) {
242242
return CvssV4Data.SeverityType.CRITICAL;
@@ -300,7 +300,7 @@ public static CvssV4 vectorToCvssV4(String source, CvssV4.Type type, Double base
300300
CvssV4Data.VulnerabilityResponseEffortType vulnerabilityResponseEffort = values.containsKey("RE") ? CvssV4Data.VulnerabilityResponseEffortType.fromValue(values.get("RE")) : CvssV4Data.VulnerabilityResponseEffortType.NOT_DEFINED;
301301
CvssV4Data.ProviderUrgencyType providerUrgency = values.containsKey("U") ? CvssV4Data.ProviderUrgencyType.fromValue(values.get("U")) : CvssV4Data.ProviderUrgencyType.NOT_DEFINED;
302302

303-
CvssV4Data.SeverityType baseSeverity = toSeverityType(baseScore);
303+
CvssV4Data.SeverityType baseSeverity = cvssV4ScoreToSeverity(baseScore);
304304
// Scores and severities are not present in the vector string, set to null/defaults
305305
Double threatScore = null;
306306
CvssV4Data.SeverityType threatSeverity = null;

core/src/test/java/org/owasp/dependencycheck/utils/CvssUtilTest.java

Lines changed: 75 additions & 96 deletions
Original file line numberDiff line numberDiff line change
@@ -21,10 +21,13 @@
2121
import io.github.jeremylong.openvulnerability.client.nvd.CvssV2Data;
2222
import io.github.jeremylong.openvulnerability.client.nvd.CvssV3;
2323
import io.github.jeremylong.openvulnerability.client.nvd.CvssV3Data;
24+
import io.github.jeremylong.openvulnerability.client.nvd.CvssV4;
25+
import io.github.jeremylong.openvulnerability.client.nvd.CvssV4Data;
2426
import org.junit.jupiter.api.Test;
2527

2628
import static org.junit.jupiter.api.Assertions.assertEquals;
2729
import static org.junit.jupiter.api.Assertions.assertNull;
30+
import static org.junit.jupiter.api.Assertions.assertThrows;
2831

2932
/**
3033
*
@@ -56,109 +59,37 @@ void testVectorToCvssV2() {
5659
*/
5760
@Test
5861
void testCvssV2ScoreToSeverity() {
59-
Double score = -1.0;
60-
String expResult = "UNKNOWN";
61-
String result = CvssUtil.cvssV2ScoreToSeverity(score);
62-
assertEquals(expResult, result);
63-
64-
score = 0.0;
65-
expResult = "LOW";
66-
result = CvssUtil.cvssV2ScoreToSeverity(score);
67-
assertEquals(expResult, result);
68-
69-
score = 1.0;
70-
expResult = "LOW";
71-
result = CvssUtil.cvssV2ScoreToSeverity(score);
72-
assertEquals(expResult, result);
73-
74-
score = 3.9;
75-
expResult = "LOW";
76-
result = CvssUtil.cvssV2ScoreToSeverity(score);
77-
assertEquals(expResult, result);
78-
79-
score = 4.0;
80-
expResult = "MEDIUM";
81-
result = CvssUtil.cvssV2ScoreToSeverity(score);
82-
assertEquals(expResult, result);
83-
84-
score = 6.9;
85-
expResult = "MEDIUM";
86-
result = CvssUtil.cvssV2ScoreToSeverity(score);
87-
assertEquals(expResult, result);
88-
89-
score = 7.0;
90-
expResult = "HIGH";
91-
result = CvssUtil.cvssV2ScoreToSeverity(score);
92-
assertEquals(expResult, result);
93-
94-
score = 10.0;
95-
expResult = "HIGH";
96-
result = CvssUtil.cvssV2ScoreToSeverity(score);
97-
assertEquals(expResult, result);
98-
99-
score = 11.0;
100-
expResult = "UNKNOWN";
101-
result = CvssUtil.cvssV2ScoreToSeverity(score);
102-
assertEquals(expResult, result);
62+
assertEquals("UNKNOWN", CvssUtil.cvssV2ScoreToSeverity(-1.0));
63+
assertEquals("LOW", CvssUtil.cvssV2ScoreToSeverity(0.0));
64+
assertEquals("LOW", CvssUtil.cvssV2ScoreToSeverity(0.05));
65+
assertEquals("LOW", CvssUtil.cvssV2ScoreToSeverity(1.0));
66+
assertEquals("LOW", CvssUtil.cvssV2ScoreToSeverity(3.9));
67+
assertEquals("MEDIUM", CvssUtil.cvssV2ScoreToSeverity(4.0));
68+
assertEquals("MEDIUM", CvssUtil.cvssV2ScoreToSeverity(6.9));
69+
assertEquals("MEDIUM", CvssUtil.cvssV2ScoreToSeverity((double) 6.9f)); // test low-precision floating point values
70+
assertEquals("HIGH", CvssUtil.cvssV2ScoreToSeverity(7.0));
71+
assertEquals("HIGH", CvssUtil.cvssV2ScoreToSeverity(10.0));
72+
assertEquals("UNKNOWN", CvssUtil.cvssV2ScoreToSeverity(11.0));
10373
}
10474

10575
/**
10676
* Test of cvssV3ScoreToSeverity method, of class CvssUtil.
10777
*/
10878
@Test
10979
void testCvssV3ScoreToSeverity() {
110-
Double score = 0.0;
111-
CvssV3Data.SeverityType expResult = CvssV3Data.SeverityType.NONE;
112-
CvssV3Data.SeverityType result = CvssUtil.cvssV3ScoreToSeverity(score);
113-
assertEquals(expResult, result);
114-
115-
score = 1.0;
116-
expResult = CvssV3Data.SeverityType.LOW;
117-
result = CvssUtil.cvssV3ScoreToSeverity(score);
118-
assertEquals(expResult, result);
119-
120-
score = 3.9;
121-
expResult = CvssV3Data.SeverityType.LOW;
122-
result = CvssUtil.cvssV3ScoreToSeverity(score);
123-
assertEquals(expResult, result);
124-
125-
score = 4.0;
126-
expResult = CvssV3Data.SeverityType.MEDIUM;
127-
result = CvssUtil.cvssV3ScoreToSeverity(score);
128-
assertEquals(expResult, result);
129-
130-
score = 6.9;
131-
expResult = CvssV3Data.SeverityType.MEDIUM;
132-
result = CvssUtil.cvssV3ScoreToSeverity(score);
133-
assertEquals(expResult, result);
134-
135-
score = 7.0;
136-
expResult = CvssV3Data.SeverityType.HIGH;
137-
result = CvssUtil.cvssV3ScoreToSeverity(score);
138-
assertEquals(expResult, result);
139-
140-
score = 8.9;
141-
expResult = CvssV3Data.SeverityType.HIGH;
142-
result = CvssUtil.cvssV3ScoreToSeverity(score);
143-
assertEquals(expResult, result);
144-
145-
score = 9.0;
146-
expResult = CvssV3Data.SeverityType.CRITICAL;
147-
result = CvssUtil.cvssV3ScoreToSeverity(score);
148-
assertEquals(expResult, result);
149-
150-
score = 10.0;
151-
expResult = CvssV3Data.SeverityType.CRITICAL;
152-
result = CvssUtil.cvssV3ScoreToSeverity(score);
153-
assertEquals(expResult, result);
154-
155-
score = 11.0;
156-
result = CvssUtil.cvssV3ScoreToSeverity(score);
157-
assertNull(result);
158-
159-
score = -1.0;
160-
result = CvssUtil.cvssV3ScoreToSeverity(score);
161-
assertNull(result);
80+
assertEquals(CvssV3Data.SeverityType.NONE, CvssUtil.cvssV3ScoreToSeverity(0.0));
81+
assertEquals(CvssV3Data.SeverityType.LOW, CvssUtil.cvssV3ScoreToSeverity(0.05));
82+
assertEquals(CvssV3Data.SeverityType.LOW, CvssUtil.cvssV3ScoreToSeverity(1.0));
83+
assertEquals(CvssV3Data.SeverityType.LOW, CvssUtil.cvssV3ScoreToSeverity(3.9));
84+
assertEquals(CvssV3Data.SeverityType.MEDIUM, CvssUtil.cvssV3ScoreToSeverity(4.0));
85+
assertEquals(CvssV3Data.SeverityType.MEDIUM, CvssUtil.cvssV3ScoreToSeverity(6.9));
86+
assertEquals(CvssV3Data.SeverityType.MEDIUM, CvssUtil.cvssV3ScoreToSeverity((double) 6.9f)); // test low-precision floating point values
87+
assertEquals(CvssV3Data.SeverityType.HIGH, CvssUtil.cvssV3ScoreToSeverity(7.0));
88+
assertEquals(CvssV3Data.SeverityType.HIGH, CvssUtil.cvssV3ScoreToSeverity(8.9));
89+
assertEquals(CvssV3Data.SeverityType.CRITICAL, CvssUtil.cvssV3ScoreToSeverity(9.0));
90+
assertEquals(CvssV3Data.SeverityType.CRITICAL, CvssUtil.cvssV3ScoreToSeverity(10.0));
91+
assertNull(CvssUtil.cvssV3ScoreToSeverity(11.0));
92+
assertNull(CvssUtil.cvssV3ScoreToSeverity(-1.0));
16293
}
16394

16495
/**
@@ -182,4 +113,52 @@ void testVectorToCvssV3() {
182113
assertEquals(10.0, result.getCvssData().getBaseScore(), 0);
183114
}
184115

116+
/**
117+
* Test of cvssV4ScoreToSeverity method, of class CvssUtil.
118+
*/
119+
@Test
120+
void testCvssV4ScoreToSeverity() {
121+
assertEquals(CvssV4Data.SeverityType.NONE, CvssUtil.cvssV4ScoreToSeverity(0.0));
122+
assertEquals(CvssV4Data.SeverityType.LOW, CvssUtil.cvssV4ScoreToSeverity(0.05));
123+
assertEquals(CvssV4Data.SeverityType.LOW, CvssUtil.cvssV4ScoreToSeverity(1.0));
124+
assertEquals(CvssV4Data.SeverityType.LOW, CvssUtil.cvssV4ScoreToSeverity(3.9));
125+
assertEquals(CvssV4Data.SeverityType.MEDIUM, CvssUtil.cvssV4ScoreToSeverity(4.0));
126+
assertEquals(CvssV4Data.SeverityType.MEDIUM, CvssUtil.cvssV4ScoreToSeverity(6.9));
127+
assertEquals(CvssV4Data.SeverityType.MEDIUM, CvssUtil.cvssV4ScoreToSeverity(6.9f)); // test low-precision floating point values
128+
assertEquals(CvssV4Data.SeverityType.HIGH, CvssUtil.cvssV4ScoreToSeverity(7.0));
129+
assertEquals(CvssV4Data.SeverityType.HIGH, CvssUtil.cvssV4ScoreToSeverity(8.9));
130+
assertEquals(CvssV4Data.SeverityType.CRITICAL, CvssUtil.cvssV4ScoreToSeverity(9.0));
131+
assertEquals(CvssV4Data.SeverityType.CRITICAL, CvssUtil.cvssV4ScoreToSeverity(10.0));
132+
assertThrows(IllegalArgumentException.class, () -> CvssUtil.cvssV4ScoreToSeverity(11.0));
133+
assertThrows(IllegalArgumentException.class, () -> CvssUtil.cvssV4ScoreToSeverity(-1.0));
134+
}
135+
136+
/**
137+
* Test of vectorToCvssV4 method, of class CvssUtil.
138+
*/
139+
@Test
140+
void testVectorToCvssV4() {
141+
String vectorString = "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N";
142+
Double baseScore = 8.2;
143+
String source = "ossIndex";
144+
CvssV4.Type type = CvssV4.Type.PRIMARY;
145+
CvssV4 result = CvssUtil.vectorToCvssV4(source, type, baseScore, vectorString);
146+
assertEquals(CvssV4Data.Version._4_0, result.getCvssData().getVersion());
147+
assertEquals(source, result.getSource());
148+
assertEquals(type, result.getType());
149+
assertEquals(CvssV4Data.AttackVectorType.NETWORK, result.getCvssData().getAttackVector());
150+
assertEquals(CvssV4Data.AttackComplexityType.LOW, result.getCvssData().getAttackComplexity());
151+
assertEquals(CvssV4Data.AttackRequirementsType.PRESENT, result.getCvssData().getAttackRequirements());
152+
assertEquals(CvssV4Data.PrivilegesRequiredType.NONE, result.getCvssData().getPrivilegesRequired());
153+
assertEquals(CvssV4Data.UserInteractionType.NONE, result.getCvssData().getUserInteraction());
154+
assertEquals(CvssV4Data.CiaType.HIGH, result.getCvssData().getVulnConfidentialityImpact());
155+
assertEquals(CvssV4Data.CiaType.NONE, result.getCvssData().getVulnIntegrityImpact());
156+
assertEquals(CvssV4Data.CiaType.NONE, result.getCvssData().getVulnAvailabilityImpact());
157+
assertEquals(CvssV4Data.CiaType.NONE, result.getCvssData().getSubConfidentialityImpact());
158+
assertEquals(CvssV4Data.CiaType.NONE, result.getCvssData().getSubIntegrityImpact());
159+
assertEquals(CvssV4Data.CiaType.NONE, result.getCvssData().getSubAvailabilityImpact());
160+
assertEquals(CvssV4Data.SeverityType.HIGH, result.getCvssData().getBaseSeverity());
161+
assertEquals(8.2, result.getCvssData().getBaseScore(), 0);
162+
}
163+
185164
}

0 commit comments

Comments
 (0)