clj-holmes / clj-watson

clojure deps SCA
Eclipse Public License 2.0
84 stars 9 forks source link

Score and severity missing from output #58

Closed chrisetheridge closed 3 months ago

chrisetheridge commented 9 months ago

I recently upgraded Watson from v4.1.2 to v5.1.1. After upgrading, I no longer see scores or severities for the vulnerabilities in the output.

Output as of 5.1.1, using clojure -M:clj-watson -p deps.edn:

Dependency Information
-----------------------------------------------------
NAME: org.bouncycastle/bcprov-jdk15on
VERSION: 1.70

DEPENDENCY FOUND IN:

[buddy/buddy-sign]
    [buddy/buddy-core]
        [org.bouncycastle/bcpkix-jdk15on]

[buddy/buddy-sign]
    [buddy/buddy-core]
        [org.bouncycastle/bcpkix-jdk15on]
            [org.bouncycastle/bcutil-jdk15on]

[buddy/buddy-sign]
    [buddy/buddy-core]

FIX SUGGESTION:
Vulnerabilities
-----------------------------------------------------

SEVERITY: Information not available.
IDENTIFIERS: CVE-2023-33202
CVSS: Information not available.
PATCHED VERSION: Information not available.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

It looks like since DependencyCheck moved to the NVD API, getBaseSore and getBaseSeverity have changed. You can see that in this PR.

I've created a fork that fixes this, which I can propose as a PR: https://github.com/chrisetheridge/clj-watson/commit/af84533d0401c864256b84c5ba44215340a78712

Output with my fix in place:

Dependency Information
-----------------------------------------------------
NAME: org.bouncycastle/bcprov-jdk15on
VERSION: 1.70

DEPENDENCY FOUND IN:

[buddy/buddy-sign]
    [buddy/buddy-core]
        [org.bouncycastle/bcpkix-jdk15on]

[buddy/buddy-sign]
    [buddy/buddy-core]
        [org.bouncycastle/bcpkix-jdk15on]
            [org.bouncycastle/bcutil-jdk15on]

[buddy/buddy-sign]
    [buddy/buddy-core]

FIX SUGGESTION:
Vulnerabilities
-----------------------------------------------------

SEVERITY: MEDIUM
IDENTIFIERS: CVE-2023-33202
CVSS: 5.5
PATCHED VERSION: Information not available.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Please let me know if I can add anything else :)

lread commented 3 months ago

This seems like a great idea to fix, and the change is small, why not submit your fork as a PR @chrisetheridge?

seancorfield commented 3 months ago

Sorry this issue has languished for so long -- yes, please submit a PR as this seems like a straightforward fix. Thank you!

lread commented 3 months ago

I'll submit a PR for this and credit you @chrisetheridge

chrisetheridge commented 3 months ago

Thank you so much @lread and @seancorfield!