Remove the Nexus IQ advisor

.ort.yml

@@ -43,7 +43,7 @@ resolutions:
   issues:
   - message: "ERROR: Timeout after 300 seconds while scanning file 'reporter-web-app/public/index.html'."
     reason: "SCANNER_ISSUE"
-    comment: >- 
+    comment: >-
       The error can be ignored because the file does contain relevant license information.
   - message: "ERROR: Timeout after 300 seconds while scanning file 'scanner/src/test/assets/aws-java-sdk-core-1.11.160_scancode-2.9.7.json'."
     reason: "SCANNER_ISSUE"
@@ -56,11 +56,6 @@ resolutions:
       This vulnerability is triggered by the org.springframework:spring-beans package which comes as a transitive
       dependency of the Jira REST client used by the notifier. The vulnerability applies only to Spring MVC or Spring
       WebFlux applications; so it is ineffective for the current usage scenario.
-  - id: "sonatype-2022-1764"
-    reason: "INEFFECTIVE_VULNERABILITY"
-    comment: >-
-      This is a duplicate for CVE-2022-22965 reported by Sonatype NexusIQ, as Sonatype reported this issue before a
-      CVE ID was officially released.
   - id: "CVE-2016-7954"
     reason: "INEFFECTIVE_VULNERABILITY"
     comment: >-

cli/src/funTest/assets/semver4j-ort-result.yml

@@ -374,26 +374,54 @@ advisor:
     tool_versions: {}
   config:
     config:
-      NexusIQ:
+      OssIndex:
         options:
-          server_url: "https://oss-review-toolkit.org"
-          browse_url: "https://oss-review-toolkit.org"
+          serverUrl: "https://ossindex.sonatype.org"
         secrets:
-          username: "user"
+          username: "username"
+          password: "password"
   results:
     Maven:junit:junit:4.12:
     - advisor:
-        name: "NexusIQ"
+        name: "OSSIndex"
         capabilities:
         - "VULNERABILITIES"
       summary:
-        start_time: "2021-04-29T14:54:17.322191Z"
-        end_time: "2021-04-29T14:54:18.966672Z"
+        start_time: "2024-09-09T09:06:07.446242337Z"
+        end_time: "2024-09-09T09:06:08.652601586Z"
       vulnerabilities:
       - id: "CVE-2020-15250"
+        summary: "[CVE-2020-15250] CWE-200: Information Exposure"
+        description: "In JUnit4 from version 4.7 and before 4.13.1, the test rule\
+          \ TemporaryFolder contains a local information disclosure vulnerability.\
+          \ On Unix like systems, the system's temporary directory is shared between\
+          \ all users on that system. Because of this, when files and directories\
+          \ are written into this directory they are, by default, readable by other\
+          \ users on that same system. This vulnerability does not allow other users\
+          \ to overwrite the contents of these directories or files. This is purely\
+          \ an information disclosure vulnerability. This vulnerability impacts you\
+          \ if the JUnit tests write sensitive information, like API keys or passwords,\
+          \ into the temporary folder, and the JUnit tests execute in an environment\
+          \ where the OS has other untrusted users. Because certain JDK file system\
+          \ APIs were only added in JDK 1.7, this this fix is dependent upon the version\
+          \ of the JDK you are using. For Java 1.7 and higher users: this vulnerability\
+          \ is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available,\
+          \ you must use the workaround below. If you are unable to patch, or are\
+          \ stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment\
+          \ variable to a directory that is exclusively owned by the executing user\
+          \ will fix this vulnerability. For more information, including an example\
+          \ of vulnerable code, see the referenced GitHub Security Advisory."
         references:
-        - url: "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15250"
-          scoring_system: "CVSS2"
+        - url: "https://ossindex.sonatype.org/vulnerability/CVE-2020-15250?component-type=maven&component-name=junit%2Fjunit&utm_source=okhttp&utm_medium=integration&utm_content=4.12.0"
+          scoring_system: "CVSS:3.1"
+          severity: "MEDIUM"
+          score: 5.5
+        - url: "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15250"
+          scoring_system: "CVSS:3.1"
+          severity: "MEDIUM"
+          score: 5.5
+        - url: "https://github.com/advisories/GHSA-269g-pwp5-87pp"
+          scoring_system: "CVSS:3.1"
           severity: "MEDIUM"
           score: 5.5
 evaluator: null

examples/example.rules.kts

@@ -215,7 +215,7 @@ fun RuleSet.vulnerabilityInPackageRule() = packageRule("VULNERABILITY_IN_PACKAGE
 
 fun RuleSet.highSeverityVulnerabilityInPackageRule() = packageRule("HIGH_SEVERITY_VULNERABILITY_IN_PACKAGE") {
     val scoreThreshold = 5.0f
-    val scoringSystem = "CVSS2"
+    val scoringSystem = "CVSS:3.1"
 
     require {
         -isExcluded()