-
Notifications
You must be signed in to change notification settings - Fork 132
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use new severity levels (high, medium, low) #895
Use new severity levels (high, medium, low) #895
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you very much for the pull request. This is quite a complicated pull request. Thank you for splitting it up. I haven't looked at these lines of code for a long time.
I have added a few comments where we need to take a look.
btw. Table entry in "Plugin version compatibility" (Readme.md) is missing.
...ndency-check-plugin/src/main/java/org/sonar/dependencycheck/rule/KnownCveRuleDefinition.java
Show resolved
Hide resolved
...ency-check-plugin/src/main/java/org/sonar/dependencycheck/base/DependencyCheckConstants.java
Outdated
Show resolved
Hide resolved
Perhaps I was too hasty with the request to split the pull request. I think it is necessary that the constants are also required in this pull request. It seems that in the current code the score of CVSS and SonarQube has been mixed. |
I think that makes sense, doesn't it? |
Yes, thanks, it looks good to me. Is the compatibility entry I've added correct? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Only minor changes required to make it easier for other users to update.
...dency-check-plugin/src/main/java/org/sonar/dependencycheck/DependencyCheckConfiguration.java
Show resolved
Hide resolved
...dency-check-plugin/src/main/java/org/sonar/dependencycheck/DependencyCheckConfiguration.java
Show resolved
Hide resolved
...dency-check-plugin/src/main/java/org/sonar/dependencycheck/DependencyCheckConfiguration.java
Show resolved
Hide resolved
Looks good. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thank you @Reamer - much appreciated. |
Thank you very much for your work. |
No, that's everything. |
A tentative fix for #870.
A change to DependencyCheckUtils.severityToScore() also appears to be needed to always use the CVSS scores in the specification to map a severity string to a CVSS score, rather than the configurable thresholds which determine how CVSS scores map to SonarQube severities. However, this will be addressed in a later pull request.