Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Critical CVEs only get C rating instead of E #982

Open
isaguimiot opened this issue Aug 22, 2024 · 3 comments
Open

Critical CVEs only get C rating instead of E #982

isaguimiot opened this issue Aug 22, 2024 · 3 comments
Labels

Comments

@isaguimiot
Copy link

Describe the bug
Since we moved to sonar 10 and dependency check plugin 5, critical CVEs don't seem to be taken as "high impact on security", but only "medium impact". On the previous version, having one critical CVE was giving an E security rating. Now, with the same CVE, the project has a C security rating.

To Reproduce
Just run an audit on a project with a critically vulnerable dependency (for instance, spring-boot-2.7.10.jar, which is linked to the vulnerability CVE-2023-20873)

Current behavior
The project has a C security rating.

Expected behavior
The project should have an E security rating.

Versions (please complete the following information):

  • dependency-check : any 9.x
  • sonarqube ; 10.6
  • dependency-check-sonar-plugin : 5.0.0
@isaguimiot isaguimiot added the bug label Aug 22, 2024
@gothikieros
Copy link

I have been watching this thread waiting for an update because i have stumbled in the same issue.
It would seem that the plugin correctly aggregates the 5 categories into SonarQube's new 3, since I see the same number of vulnerabilities detected on all the projects as in the older installation.

I have tried to artificially alter the scale from settings to have only Low or only High to see if the rating will change but it stayed stuck on C. Even with 4 Critical/Blocker (a.k.a. High) Issues.

Is there any update on this?

Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 27, 2024
@RedHotSpicy
Copy link

Is there any update on the issue ?

@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants