Use new severity levels (high, medium, low) #895
Conversation
There was a problem hiding this comment.
Thank you very much for the pull request. This is quite a complicated pull request. Thank you for splitting it up. I haven't looked at these lines of code for a long time.
I have added a few comments where we need to take a look.
btw. Table entry in "Plugin version compatibility" (Readme.md) is missing.
...ndency-check-plugin/src/main/java/org/sonar/dependencycheck/rule/KnownCveRuleDefinition.java
Show resolved
Hide resolved
...ency-check-plugin/src/main/java/org/sonar/dependencycheck/base/DependencyCheckConstants.java
Outdated
Show resolved
Hide resolved
|
Perhaps I was too hasty with the request to split the pull request. I think it is necessary that the constants are also required in this pull request. It seems that in the current code the score of CVSS and SonarQube has been mixed. |
|
I think that makes sense, doesn't it? |
Yes, thanks, it looks good to me. Is the compatibility entry I've added correct? |
...dency-check-plugin/src/main/java/org/sonar/dependencycheck/DependencyCheckConfiguration.java
Show resolved
Hide resolved
...dency-check-plugin/src/main/java/org/sonar/dependencycheck/DependencyCheckConfiguration.java
Show resolved
Hide resolved
...dency-check-plugin/src/main/java/org/sonar/dependencycheck/DependencyCheckConfiguration.java
Show resolved
Hide resolved
Looks good. |
|
Thank you @Reamer - much appreciated. |
|
Thank you very much for your work. |
|
No, that's everything. |
A tentative fix for #870.
A change to DependencyCheckUtils.severityToScore() also appears to be needed to always use the CVSS scores in the specification to map a severity string to a CVSS score, rather than the configurable thresholds which determine how CVSS scores map to SonarQube severities. However, this will be addressed in a later pull request.