Need CVSSv3.1 or 3.0 specification in reports

[Anshu2405]

Dependency-check tool is already reporting the CVSSv3.1 or 3.0 as CvssV3 score but providing no information whether its a Cvssv3.1 or 3.0 score.
For example:
CVE-2019-10174 has v3.1 (8.8) and v3.0(7.5) CVSS scores present in NVD but the tool reports Cvssv3score as 8.8 with no information about v3.1 or v3.0 specification.

Sample output:

"cvssv3": {
"baseScore": 8.8,
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseSeverity": "HIGH"
},

It would be helpful if we could get this information in reports.

[jeremylong]

ODC will only be able to report what is included in the NVD data feed. We can improve the report to indicate which version is used - but if you look at the data feed for CVE-2019-10174 the CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H is provided by the CNA and does not appear to be included. Only the CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H is in the datafeed.

[jeremylong]

This will be included in the 6.0.0 release. See PR #2781 - the version information will not consistently be available on all CVSS entries - it will depend on if the source of the score provides the version information. Currently, this is only supplied by the NVD.