Skip to content

Missing default CVSSv4 baseScore when vulnerability is not yet scored #8662

Description

@habelson

Precondition

  • I checked the issues list for existing open or closed reports of the same problem.

Describe the bug
I'm not sure if this is a bug here or if it should be a bug on the dependency-check sonar plugin, but I figured it had a higher chance of being addressed here, so I apologize if this isn't the correct place.

It appears some sources like OSSIndex sometimes have incomplete information on newer vulnerabilities. In my case CVE-2026-61634 is one such example, where the CVSS data is missing. In the generated json report, there is a "cvssv4" section with most fields having the value of "UNDEFINED". However, the baseScore property is missing entirely.

The Sonar Dependency Check plugin is throwing a JSON Parse error because that baseScore property is missing and is required.

Is it possible to default the baseScore to 0 (or even -1 if need be) so that the property is present in all cases and does not cause JSON parse issues in other tools designed to consume the report generated by this tool?

Version of dependency-check used
The problem occurs using version 12.2.2 of the gradle plugin

Log file
This is the error when posting to SonarQube

Caused by: com.fasterxml.jackson.databind.exc.MismatchedInputException: Missing required creator property 'baseScore' (index 0) at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1926, column: 21] (through reference chain: org.sonar.dependencycheck.parser.element.Analysis["dependencies"]->java.util.ArrayList[4]->org.sonar.dependencycheck.parser.element.Dependency["vulnerabilities"]->java.util.ArrayList[0]->org.sonar.dependencycheck.parser.element.Vulnerability["cvssv4"]->org.sonar.dependencycheck.parser.element.CvssV4["baseScore"])

The relevant section of the dependency-check json report:

 ,"vulnerabilities": [
 {
                "source": "OSSINDEX",
                "name": "CVE-2026-61634",
                    "severity" : "NONE",
                    "cvssv4": {
                        "vectorString": "CVSS:4.0\/AV:N\/AC:H\/AT:P\/PR:N\/UI:N\/VC:N\/VI:N\/VA:N\/SC:N\/SI:N\/SA:N"
                        ,"source": "ossindex"
                        ,"type": "Primary"
                        ,"version": "4.0"
                        ,"attackVector": "NETWORK"
                        ,"attackComplexity": "HIGH"
                        ,"attackRequirements": "PRESENT"
                        ,"privilegesRequired": "NONE"
                        ,"userInteraction": "NONE"
                        ,"vulnerableSystemConfidentiality": "NONE"
                        ,"vulnerableSystemIntegrity": "NONE"
                        ,"vulnerableSystemAvailability": "NONE"
                        ,"subsequentSystemConfidentiality": "NONE"
                        ,"subsequentSystemIntegrity": "NONE"
                        ,"subsequentSystemAvailability": "NONE"
                        ,"exploitMaturity": "NOT_DEFINED"
                        ,"confidentialityRequirements": "NOT_DEFINED"
                        ,"integrityRequirements": "NOT_DEFINED"
                        ,"availabilityRequirements": "NOT_DEFINED"
                        ,"modifiedAttackVector": "NOT_DEFINED"
                        ,"modifiedAttackComplexity": "NOT_DEFINED"
                        ,"modifiedAttackRequirements": "NOT_DEFINED"
                        ,"modifiedPrivilegesRequired": "NOT_DEFINED"
                        ,"modifiedUserInteraction": "NOT_DEFINED"
                        ,"modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"
                        ,"modifiedVulnerableSystemIntegrity": "NOT_DEFINED"
                        ,"modifiedVulnerableSystemAvailability": "NOT_DEFINED"
                        ,"modifiedSubsequentSystemConfidentiality": "NOT_DEFINED"
                        ,"modifiedSubsequentSystemIntegrity": "NOT_DEFINED"
                        ,"modifiedSubsequentSystemAvailability": "NOT_DEFINED"
                        ,"safety": "NOT_DEFINED"
                        ,"automatable": "NOT_DEFINED"
                        ,"recovery": "NOT_DEFINED"
                        ,"valueDensity": "NOT_DEFINED"
                        ,"vulnerabilityResponseEffort": "NOT_DEFINED"
                        ,"providerUrgency": "NOT_DEFINED"
                        ,"baseSeverity": "NONE"
                    },

Expected behavior
If it was possible to have a default value for baseScore in the cvssv4 secrion of the json report for cases where the vulnerability has not yet been scored (or possibly not report on it if it doesnt have a score?)

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions