Skip to content

fix(reports): render CVSSv4 baseScore = 0.0 in JSON+XML reports#8663

Open
chadlwilson wants to merge 1 commit into
dependency-check:mainfrom
chadlwilson:fix-always-render-cvssv4-base-score
Open

fix(reports): render CVSSv4 baseScore = 0.0 in JSON+XML reports#8663
chadlwilson wants to merge 1 commit into
dependency-check:mainfrom
chadlwilson:fix-always-render-cvssv4-base-score

Conversation

@chadlwilson

Copy link
Copy Markdown
Collaborator

Description of Change

Fixes JSON and XML reports to always include CVSS v4.0 baseScore, similar to that for CVSSv2 and CVSSv3.

"cvssv2": {
"score": $vuln.cvssV2.cvssData.baseScore
,"accessVector": "$enc.json($vuln.cvssV2.cvssData.accessVector)"

"cvssv3": {
"baseScore": $vuln.cvssV3.cvssData.baseScore
,"attackVector": "$enc.json($vuln.cvssV3.cvssData.attackVector)"

The model object defines baseScore as non-null/required (despite being a boxed Double) and most other reports assume it is, so should be safe. The DB technically allows it to be null, but many other places assume it is not.

The current check is problematic as Velocity treats 0 as "false" in the check, which omits 0 scores (SeverityType = NONE) which is incorrect.

Seems safe and simplest to remove the check rather than contort Velocity to do an "is non-null" check. Note that there are many other places where the baseScore is taken directly within the #if emptiness check, so suspect this was just generated/propagated across all fields in the data naively. It's already assumed to be there in the HTML and SARIF reports, for example.

#set($cveImpact=$severestVuln.cvssV4.cvssData.baseScore)

#if($vuln.getCvssV4())
CVSSv4:
<ul><li>Base Score: $enc.html($vuln.getCvssV4().getCvssData().getBaseSeverity()) ($vuln.getCvssV4().getCvssData().getBaseScore())</li>
<li>Vector: $enc.html($vuln.getCvssV4().toString())</li></ul>
#end

Related issues

Have test cases been added to cover the new functionality?

no

Our own code defines `baseScore` as non-null (despite being a boxed Double) and most other reports assume it is, so should be safe. The current check is problematic as Velocity treats 0 as "false" in the check, which omits 0 scores (SeverityType = NONE) which is incorrect.

Seems safe and simplest to change things like this rather than contort Velocity to do a "is non-null" check. Note that there are many other places where the baseScore is taken directly within the `#if` emptiness check, so suspect this was just generated/propagated across all fields in the data naively. It's already assumed to be there in the HTML and SARIF reports, for example.

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@boring-cyborg boring-cyborg Bot added the core changes to core label Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

core changes to core

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Missing default CVSSv4 baseScore when vulnerability is not yet scored

1 participant