feat: report on CVSS v4 (#7204)

Author: jeremylong

ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java

@@ -2299,6 +2299,7 @@ private void checkForFailure(Dependency[] dependencies) throws BuildException {
             for (Vulnerability v : d.getVulnerabilities()) {
                 if ((v.getCvssV2() != null && v.getCvssV2().getCvssData().getBaseScore() >= failBuildOnCVSS)
                         || (v.getCvssV3() != null && v.getCvssV3().getCvssData().getBaseScore() >= failBuildOnCVSS)
+                        || (v.getCvssV4() != null && v.getCvssV4().getCvssData().getBaseScore() >= failBuildOnCVSS)
                         || (v.getUnscoredSeverity() != null && SeverityUtil.estimateCvssV2(v.getUnscoredSeverity()) >= failBuildOnCVSS)
                         //safety net to fail on any if for some reason the above misses on 0
                         || (failBuildOnCVSS <= 0.0f)) {

cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -317,15 +317,20 @@ private int determineReturnCode(Engine engine, float cvssFailScore) {
                         && v.getCvssV2().getCvssData().getBaseScore() != null ? v.getCvssV2().getCvssData().getBaseScore() : -1;
                 final Double cvssV3 = v.getCvssV3() != null && v.getCvssV3().getCvssData() != null
                         && v.getCvssV3().getCvssData().getBaseScore() != null ? v.getCvssV3().getCvssData().getBaseScore() : -1;
+                final Double cvssV4 = v.getCvssV4() != null && v.getCvssV4().getCvssData() != null
+                        && v.getCvssV4().getCvssData().getBaseScore() != null ? v.getCvssV4().getCvssData().getBaseScore() : -1;
                 final Double unscoredCvss = v.getUnscoredSeverity() != null ? SeverityUtil.estimateCvssV2(v.getUnscoredSeverity()) : -1;
 
                 if (cvssV2 >= cvssFailScore
                         || cvssV3 >= cvssFailScore
+                        || cvssV4 >= cvssFailScore
                         || unscoredCvss >= cvssFailScore
                         //safety net to fail on any if for some reason the above misses on 0
                         || (cvssFailScore <= 0.0f)) {
                     double score = 0.0;
-                    if (cvssV3 >= 0.0) {
+                    if (cvssV4 >= 0.0) {
+                        score = cvssV4;
+                    } else if (cvssV3 >= 0.0) {
                         score = cvssV3;
                     } else if (cvssV2 >= 0.0) {
                         score = cvssV2;

core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java

@@ -1006,6 +1006,7 @@ private void checkForFailure(Dependency[] dependencies) throws ScanAgentExceptio
             for (Vulnerability v : d.getVulnerabilities()) {
                 if ((v.getCvssV2() != null && v.getCvssV2().getCvssData().getBaseScore() >= failBuildOnCVSS)
                         || (v.getCvssV3() != null && v.getCvssV3().getCvssData().getBaseScore() >= failBuildOnCVSS)
+                        || (v.getCvssV4() != null && v.getCvssV4().getCvssData().getBaseScore() >= failBuildOnCVSS)
                         || (v.getUnscoredSeverity() != null && SeverityUtil.estimateCvssV2(v.getUnscoredSeverity()) >= failBuildOnCVSS)
                         //safety net to fail on any if for some reason the above misses on 0
                         || (failBuildOnCVSS <= 0.0f)) {

core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java

@@ -518,6 +518,9 @@ public int compareTo(@NotNull Vulnerability o) {
      * vulnerability severity
      */
     private Double bestEffortSeverityLevelForSorting() {
+        if (this.cvssV4 != null) {
+            return SeverityUtil.sortAdjustedCVSSv3BaseScore(this.cvssV4.getCvssData().getBaseScore());
+        }
         if (this.cvssV3 != null) {
             return SeverityUtil.sortAdjustedCVSSv3BaseScore(this.cvssV3.getCvssData().getBaseScore());
         }
@@ -535,6 +538,9 @@ private Double bestEffortSeverityLevelForSorting() {
      * unscored severities that critical is assumed.
      */
     public String getHighestSeverityText() {
+        if (this.cvssV4 != null) {
+            return this.cvssV4.getCvssData().getBaseSeverity().value().toUpperCase();
+        }
         if (this.cvssV3 != null) {
             return this.cvssV3.getCvssData().getBaseSeverity().value().toUpperCase();
         }

core/src/main/java/org/owasp/dependencycheck/reporting/ReportTool.java

@@ -99,7 +99,8 @@ public Collection<SarifRule> convertToSarifRules(List<Dependency> dependencies)
                             buildDescription(v.getDescription(), v.getKnownExploitedVulnerability()),
                             v.getSource().name(),
                             v.getCvssV2(),
-                            v.getCvssV3());
+                            v.getCvssV3(),
+                            v.getCvssV4());
                     rules.put(v.getName(), r);
                 }
             }
@@ -114,6 +115,8 @@ private String determineScore(Vulnerability vuln) {
             } else {
                 return normalizeSeverity(vuln.getUnscoredSeverity().toLowerCase());
             }
+        } else if (vuln.getCvssV4() != null && vuln.getCvssV4().getCvssData().getBaseSeverity() != null) {
+            return normalizeSeverity(vuln.getCvssV4().getCvssData().getBaseSeverity().value().toLowerCase());
         } else if (vuln.getCvssV3() != null && vuln.getCvssV3().getCvssData().getBaseSeverity() != null) {
             return normalizeSeverity(vuln.getCvssV3().getCvssData().getBaseSeverity().value().toLowerCase());
         } else if (vuln.getCvssV2() != null && vuln.getCvssV2().getCvssData().getBaseSeverity() != null) {

core/src/main/java/org/owasp/dependencycheck/reporting/SarifRule.java

@@ -19,6 +19,7 @@
 
 import io.github.jeremylong.openvulnerability.client.nvd.CvssV2;
 import io.github.jeremylong.openvulnerability.client.nvd.CvssV3;
+import io.github.jeremylong.openvulnerability.client.nvd.CvssV4;
 
 /**
  *
@@ -138,6 +139,14 @@ public class SarifRule {
      * CVSS V3 field.
      */
     private String cvssv3Version;
+    /**
+     * CVSS V4 field.
+     */
+    private String cvssv4BaseScore;
+    /**
+     * CVSS V4 Vector.
+     */
+    private String cvssv4Vector;
     /**
      * The source of the rule.
      */
@@ -154,7 +163,7 @@ public class SarifRule {
      * @param cvssV3 the CVSS v3 score
      */
     public SarifRule(String name, String shortDescription, String fullDescription,
-            String source, CvssV2 cvssV2, CvssV3 cvssV3) {
+                     String source, CvssV2 cvssV2, CvssV3 cvssV3, CvssV4 cvssV4) {
         this.id = name;
         this.name = name;
         this.shortDescription = shortDescription;
@@ -232,6 +241,12 @@ public SarifRule(String name, String shortDescription, String fullDescription,
             }
             this.cvssv3Version = cvssV3.getCvssData().getVersion().name();
         }
+        if (cvssV4 != null && cvssV4.getCvssData() != null) {
+            if (cvssV4.getCvssData().getBaseScore() != null) {
+                this.cvssv4BaseScore = cvssV4.getCvssData().getBaseScore().toString();
+            }
+            this.cvssv4Vector = cvssV4.toString();
+        }
     }
 
     /**
@@ -757,4 +772,36 @@ public void setId(String id) {
         this.id = id;
     }
 
+    /**
+     * Get the value of CVSS4 Base Score.
+     *
+     * @return the value of CVSS4 Base Score
+     */
+    public String getCvssv4BaseScore() {
+        return cvssv4BaseScore;
+    }
+
+    /**
+     * Set the value of CVSS4 Base Score.
+     * @param cvssv4BaseScore new value of CVSS4 Base Score
+     */
+    public void setCvssv4BaseScore(String cvssv4BaseScore) {
+        this.cvssv4BaseScore = cvssv4BaseScore;
+    }
+
+    /**
+     * Get the Cvssv4 Vector.
+     * @return the Cvssv4 Vector
+     */
+    public String getCvssv4Vector() {
+        return cvssv4Vector;
+    }
+
+    /**
+     * Set the Cvssv4 Vector.
+     * @param cvssv4Vector new value of Cvssv4 Vector
+     */
+    public void setCvssv4Vector(String cvssv4Vector) {
+        this.cvssv4Vector = cvssv4Vector;
+    }
 }

core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java

@@ -537,6 +537,11 @@ public void process(Dependency dependency) {
                             removeVulns.add(v);
                             break;
                         }
+                        if (v.getCvssV4() != null && v.getCvssV4().getCvssData().getBaseScore().compareTo(cvss) < 0) {
+                            remove = true;
+                            removeVulns.add(v);
+                            break;
+                        }
                     }
                 }
                 if (remove && !isBase()) {