Precondition
Describe the bug
I'm not sure if this is a bug here or if it should be a bug on the dependency-check sonar plugin, but I figured it had a higher chance of being addressed here, so I apologize if this isn't the correct place.
It appears some sources like OSSIndex sometimes have incomplete information on newer vulnerabilities. In my case CVE-2026-61634 is one such example, where the CVSS data is missing. In the generated json report, there is a "cvssv4" section with most fields having the value of "UNDEFINED". However, the baseScore property is missing entirely.
The Sonar Dependency Check plugin is throwing a JSON Parse error because that baseScore property is missing and is required.
Is it possible to default the baseScore to 0 (or even -1 if need be) so that the property is present in all cases and does not cause JSON parse issues in other tools designed to consume the report generated by this tool?
Version of dependency-check used
The problem occurs using version 12.2.2 of the gradle plugin
Log file
This is the error when posting to SonarQube
Caused by: com.fasterxml.jackson.databind.exc.MismatchedInputException: Missing required creator property 'baseScore' (index 0) at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1926, column: 21] (through reference chain: org.sonar.dependencycheck.parser.element.Analysis["dependencies"]->java.util.ArrayList[4]->org.sonar.dependencycheck.parser.element.Dependency["vulnerabilities"]->java.util.ArrayList[0]->org.sonar.dependencycheck.parser.element.Vulnerability["cvssv4"]->org.sonar.dependencycheck.parser.element.CvssV4["baseScore"])
The relevant section of the dependency-check json report:
,"vulnerabilities": [
{
"source": "OSSINDEX",
"name": "CVE-2026-61634",
"severity" : "NONE",
"cvssv4": {
"vectorString": "CVSS:4.0\/AV:N\/AC:H\/AT:P\/PR:N\/UI:N\/VC:N\/VI:N\/VA:N\/SC:N\/SI:N\/SA:N"
,"source": "ossindex"
,"type": "Primary"
,"version": "4.0"
,"attackVector": "NETWORK"
,"attackComplexity": "HIGH"
,"attackRequirements": "PRESENT"
,"privilegesRequired": "NONE"
,"userInteraction": "NONE"
,"vulnerableSystemConfidentiality": "NONE"
,"vulnerableSystemIntegrity": "NONE"
,"vulnerableSystemAvailability": "NONE"
,"subsequentSystemConfidentiality": "NONE"
,"subsequentSystemIntegrity": "NONE"
,"subsequentSystemAvailability": "NONE"
,"exploitMaturity": "NOT_DEFINED"
,"confidentialityRequirements": "NOT_DEFINED"
,"integrityRequirements": "NOT_DEFINED"
,"availabilityRequirements": "NOT_DEFINED"
,"modifiedAttackVector": "NOT_DEFINED"
,"modifiedAttackComplexity": "NOT_DEFINED"
,"modifiedAttackRequirements": "NOT_DEFINED"
,"modifiedPrivilegesRequired": "NOT_DEFINED"
,"modifiedUserInteraction": "NOT_DEFINED"
,"modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"
,"modifiedVulnerableSystemIntegrity": "NOT_DEFINED"
,"modifiedVulnerableSystemAvailability": "NOT_DEFINED"
,"modifiedSubsequentSystemConfidentiality": "NOT_DEFINED"
,"modifiedSubsequentSystemIntegrity": "NOT_DEFINED"
,"modifiedSubsequentSystemAvailability": "NOT_DEFINED"
,"safety": "NOT_DEFINED"
,"automatable": "NOT_DEFINED"
,"recovery": "NOT_DEFINED"
,"valueDensity": "NOT_DEFINED"
,"vulnerabilityResponseEffort": "NOT_DEFINED"
,"providerUrgency": "NOT_DEFINED"
,"baseSeverity": "NONE"
},
Expected behavior
If it was possible to have a default value for baseScore in the cvssv4 secrion of the json report for cases where the vulnerability has not yet been scored (or possibly not report on it if it doesnt have a score?)
Precondition
Describe the bug
I'm not sure if this is a bug here or if it should be a bug on the dependency-check sonar plugin, but I figured it had a higher chance of being addressed here, so I apologize if this isn't the correct place.
It appears some sources like OSSIndex sometimes have incomplete information on newer vulnerabilities. In my case CVE-2026-61634 is one such example, where the CVSS data is missing. In the generated json report, there is a "cvssv4" section with most fields having the value of "UNDEFINED". However, the
baseScoreproperty is missing entirely.The Sonar Dependency Check plugin is throwing a JSON Parse error because that baseScore property is missing and is required.
Is it possible to default the baseScore to 0 (or even -1 if need be) so that the property is present in all cases and does not cause JSON parse issues in other tools designed to consume the report generated by this tool?
Version of dependency-check used
The problem occurs using version 12.2.2 of the gradle plugin
Log file
This is the error when posting to SonarQube
The relevant section of the dependency-check json report:
Expected behavior
If it was possible to have a default value for baseScore in the cvssv4 secrion of the json report for cases where the vulnerability has not yet been scored (or possibly not report on it if it doesnt have a score?)