You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Since we moved to sonar 10 and dependency check plugin 5, critical CVEs don't seem to be taken as "high impact on security", but only "medium impact". On the previous version, having one critical CVE was giving an E security rating. Now, with the same CVE, the project has a C security rating.
To Reproduce
Just run an audit on a project with a critically vulnerable dependency (for instance, spring-boot-2.7.10.jar, which is linked to the vulnerability CVE-2023-20873)
Current behavior
The project has a C security rating.
Expected behavior
The project should have an E security rating.
Versions (please complete the following information):
dependency-check : any 9.x
sonarqube ; 10.6
dependency-check-sonar-plugin : 5.0.0
The text was updated successfully, but these errors were encountered:
I have been watching this thread waiting for an update because i have stumbled in the same issue.
It would seem that the plugin correctly aggregates the 5 categories into SonarQube's new 3, since I see the same number of vulnerabilities detected on all the projects as in the older installation.
I have tried to artificially alter the scale from settings to have only Low or only High to see if the rating will change but it stayed stuck on C. Even with 4 Critical/Blocker (a.k.a. High) Issues.
Describe the bug
Since we moved to sonar 10 and dependency check plugin 5, critical CVEs don't seem to be taken as "high impact on security", but only "medium impact". On the previous version, having one critical CVE was giving an E security rating. Now, with the same CVE, the project has a C security rating.
To Reproduce
Just run an audit on a project with a critically vulnerable dependency (for instance, spring-boot-2.7.10.jar, which is linked to the vulnerability CVE-2023-20873)
Current behavior
The project has a C security rating.
Expected behavior
The project should have an E security rating.
Versions (please complete the following information):
The text was updated successfully, but these errors were encountered: