fix: correct parsing for CVSSv4 strings with Provider Urgency by chadlwilson · Pull Request #8377 · dependency-check/DependencyCheck (original) (raw)
Pull request overview
Updates Dependency-Check to use a newer open-vulnerability-clients release that fixes CVSSv4 parsing when the vector string includes a non-default Provider Urgency (U:Clear|Green|Amber|Red), and adjusts the CVSSv4 unit test to cover this scenario (fixes #8376).
Changes:
- Bump
io.github.jeremylong:open-vulnerability-clientsfrom9.0.3to9.0.4. - Update
CvssUtilTest#testVectorToCvssV4to use a CVSSv4 vector containing supplemental metrics includingU:Amber. - Add assertions validating supplemental CVSSv4 fields (Safety/Automatable/Recovery/ValueDensity/ResponseEffort/ProviderUrgency) and that threat/environmental scores remain unset.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| pom.xml | Updates managed dependency version for open-vulnerability-clients to pick up the CVSSv4 parsing fix. |
| core/src/test/java/org/owasp/dependencycheck/utils/CvssUtilTest.java | Extends CVSSv4 parsing test coverage to include Provider Urgency (U:Amber) and related supplemental fields. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.