fix(reporter): Add score and method properties in CycloneDX report

geoandri · sschuberth · commit 1f2ad1efed2f · 2023-11-02T22:32:44.000+01:00
Signed-off-by: George Andrinopoulos &lt;george.andrinopoulos@leanix.net&gt;
diff --git a/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.json b/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.json
@@ -249,7 +249,9 @@
           "source": {
             "url": "https://cves.example.org/cve1"
           },
-          "severity": "medium"
+          "score": 6.0,
+          "severity": "medium",
+          "method": "CVSSv2"
         }
       ],
       "description": "A vulnerability description",
diff --git a/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.xml b/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.xml
@@ -139,7 +139,9 @@
           <source>
             <url>https://cves.example.org/cve1</url>
           </source>
+          <score>6.0</score>
           <severity>medium</severity>
+          <method>CVSSv2</method>
         </rating>
       </ratings>
       <description>A vulnerability description</description>
diff --git a/plugins/reporters/cyclonedx/src/main/kotlin/CycloneDxReporter.kt b/plugins/reporters/cyclonedx/src/main/kotlin/CycloneDxReporter.kt
@@ -273,6 +273,9 @@ class CycloneDxReporter : Reporter {
                                 .apply { url = reference.url.toString() }
                             severity = org.cyclonedx.model.vulnerability.Vulnerability.Rating.Severity
                                 .fromString(reference.severityRating.lowercase())
+                            score = reference.severity?.toDoubleOrNull()
+                            method = org.cyclonedx.model.vulnerability.Vulnerability.Rating.Method
+                                .fromString(reference.scoringSystem)
                         }
                     }
                     affects = mutableListOf(
diff --git a/reporter/src/testFixtures/kotlin/TestData.kt b/reporter/src/testFixtures/kotlin/TestData.kt
@@ -408,7 +408,7 @@ val VULNERABILITY = Vulnerability(
     summary = "A vulnerability summary",
     description = "A vulnerability description",
     references = listOf(
-        VulnerabilityReference(URI("https://cves.example.org/cve1"), "Cvss2", "6.0")
+        VulnerabilityReference(URI("https://cves.example.org/cve1"), "CVSSv2", "6.0")
     )
 )
 

Original file line number	Diff line number	Diff line change
`@@ -273,6 +273,9 @@ class CycloneDxReporter : Reporter {`
`273`	`273`	`.apply { url = reference.url.toString() }`
`274`	`274`	`severity = org.cyclonedx.model.vulnerability.Vulnerability.Rating.Severity`
`275`	`275`	`.fromString(reference.severityRating.lowercase())`
	`276`	`+ score = reference.severity?.toDoubleOrNull()`
	`277`	`+ method = org.cyclonedx.model.vulnerability.Vulnerability.Rating.Method`
	`278`	`+ .fromString(reference.scoringSystem)`
`276`	`279`	`}`
`277`	`280`	`}`
`278`	`281`	`affects = mutableListOf(`
Original file line number	Diff line number	Diff line change
`@@ -408,7 +408,7 @@ val VULNERABILITY = Vulnerability(`
`408`	`408`	`summary = "A vulnerability summary",`
`409`	`409`	`description = "A vulnerability description",`
`410`	`410`	`references = listOf(`
`411`		`- VulnerabilityReference(URI("https://cves.example.org/cve1"), "Cvss2", "6.0")`
	`411`	`+ VulnerabilityReference(URI("https://cves.example.org/cve1"), "CVSSv2", "6.0")`
`412`	`412`	`)`
`413`	`413`	`)`
`414`	`414`