dependency-check report shows in column 'Highest severity' MEDIUM while CVSSv2 has value 8.5 (CVSSv3 has value 6.6)

[GitMarco]

Describe the bug
The Gradle plugin fails with a found vulnerability with value greater than 7.0 during the analyze step:

Dependency-Analyze Failure:
One or more dependencies were identified with vulnerabilities that have a CVSS score greater than '7.0': CVE-2021-42550
See the dependency-check report for more details.

When I then look at the dependency-check report, I only see vulnerabilities with as 'Highest severity' the value MEDIUM. While I would expect a value of HIGH (because the analyze failed).

See screenshot:

When clicking on the logback-core-1.3.0.jar link, it shows (amongst others):

CVSSv2:
Base Score: HIGH (8.5)
Vector: /AV:N/AC:M/Au:S/C:C/I:C/A:C
CVSSv3:
Base Score: MEDIUM (6.6)
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

See screenshot:

Note that the CVSSv2 score is 8.5 and the CVSSv3 is 6.6. It seems the plugin checks only for the status of the CVSSv3 value? That would be fine if it wouldn't fail the plugin analyze phase on reporting there is a vulnerability with score greater than 7.0 (which indicates a severity of value HIGH).

A solution could be: take the highest of the two CVSS scores and show that in the report column "Highest severity"? So in this case it would show HIGH (not MEDIUM)

Version of dependency-check used
The problem occurs using version 7.4.4 and 8.1.2 of the gradle plugin.

Log file
Only for now adding the reason why the job (plugin) is failing:

Dependency-Analyze Failure:
One or more dependencies were identified with vulnerabilities that have a CVSS score greater than '7.0': CVE-2021-42550
See the dependency-check report for more details.

To Reproduce
Steps to reproduce the behavior:

1. Have logback-core-1.3.0.jar as dependency in your project and configure the plugin like this:

dependencyCheck {
failBuildOnCVSS = 7
failOnError = true
}

3. Run the scan: ./gradlew dependencyCheckAggregate --no-daemon --stacktrace
4. That should fail with the message "One or more dependencies were identified with vulnerabilities that have a CVSS score greater than '7.0': CVE-2021-42550"
5. Open the resulting report dependency-check-report.html
6. See above reported logback-core-1.3.0.jar and the value MEDIUM in the 'Highest severity' column.

Expected behavior
Show in the report in the 'Highest severity' column the highest of the CVSSv2 and CVSSv3 score, in this example thus showing HIGH. This would be very useful because I use that column to sort on anything that is HIGH or more critical, to know where to focus on first. Now it won't show me the HIGHs always looking at that column.

Additional context
Looks similar/related to #2462 but isn't exactly the same.

[merikan]

I am experiencing the same problem using the Maven Plugin.

If cvssV2 or cvssV3 is higher than failBuildOnCVSS it fails as expected. When building the output text, it uses cvssV3 if greater or equals 0 regardless if it triggers the failure.

a solution could be the following, but I haven't tested it since I couldn't run all tests on my mac

-                if (failBuildOnAnyVulnerability || cvssV2 >= failBuildOnCVSS
-                        || cvssV3 >= failBuildOnCVSS
-                        || unscoredCvss >= failBuildOnCVSS
+                double highestCvss = Arrays.stream(new double[]{cvssV2, cvssV3, unscoredCvss}).max().getAsDouble();
+                if (failBuildOnAnyVulnerability || highestCvss >= failBuildOnCVSS
                         //safety net to fail on any if for some reason the above misses on 0
                         || (failBuildOnCVSS <= 0.0f)) {
                     String name = v.getName();
-                    if (cvssV3 >= 0.0f) {
-                        name += "(" + cvssV3 + ")";
-                    } else if (cvssV2 >= 0.0f) {
-                        name += "(" + cvssV2 + ")";
-                    } else if (unscoredCvss >= 0.0f) {
-                        name += "(" + unscoredCvss + ")";
-                    }
+                    name += "(" + highestCvss + ")";

Using Maven Plugin v8.3.1
My project uses logback-core-1.2.3.jar and when running DPC

[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0':
[ERROR]
[ERROR] logback-core-1.2.3.jar: CVE-2021-42550(6.6)
[ERROR]
[ERROR] See the dependency-check report for more details.

and the report shows

[CVE-2021-42550](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42550)  suppress

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
Base Score: HIGH (8.5)
Vector: /AV:N/AC:M/Au:S/C:C/I:C/A:C
CVSSv3:
Base Score: MEDIUM (6.6)
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

[mihai-coanda]

I am experiencing the same problem using the Maven Plugin.

If cvssV2 or cvssV3 is higher than failBuildOnCVSS it fails as expected. When building the output text, it uses cvssV3 if greater or equals 0 regardless if it triggers the failure.

a solution could be the following, but I haven't tested it since I couldn't run all tests on my mac

-                if (failBuildOnAnyVulnerability || cvssV2 >= failBuildOnCVSS
-                        || cvssV3 >= failBuildOnCVSS
-                        || unscoredCvss >= failBuildOnCVSS
+                double highestCvss = Arrays.stream(new double[]{cvssV2, cvssV3, unscoredCvss}).max().getAsDouble();
+                if (failBuildOnAnyVulnerability || highestCvss >= failBuildOnCVSS
                         //safety net to fail on any if for some reason the above misses on 0
                         || (failBuildOnCVSS <= 0.0f)) {
                     String name = v.getName();
-                    if (cvssV3 >= 0.0f) {
-                        name += "(" + cvssV3 + ")";
-                    } else if (cvssV2 >= 0.0f) {
-                        name += "(" + cvssV2 + ")";
-                    } else if (unscoredCvss >= 0.0f) {
-                        name += "(" + unscoredCvss + ")";
-                    }
+                    name += "(" + highestCvss + ")";

Using Maven Plugin v8.3.1 My project uses logback-core-1.2.3.jar and when running DPC

[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0':
[ERROR]
[ERROR] logback-core-1.2.3.jar: CVE-2021-42550(6.6)
[ERROR]
[ERROR] See the dependency-check report for more details.

and the report shows

[CVE-2021-42550](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42550)  suppress

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
CWE-502 Deserialization of Untrusted Data

CVSSv2:
Base Score: HIGH (8.5)
Vector: /AV:N/AC:M/Au:S/C:C/I:C/A:C
CVSSv3:
Base Score: MEDIUM (6.6)
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

+1

Similar issue with CVE-2016-4055 as it fails our builds due to the CVSSv2 score of 7.8 HIGH even though the CVSSv3 score is 6.5 MEDIUM.

We want the plugin to take into consideration only the CVSSv3 score due to company policy but I could not find a way to force it to exclusively use CVSSv3 scores.

We can ignore the CVE but if the CVSSv3 score changes in the future we will not be notified.