Closed NIGCH closed 8 months ago
Reamer
commented
8 months ago Perhaps I was too hasty with the request to split the pull request.
I think it is necessary that the constants are also required in this pull request. https://github.com/dependency-check/dependency-check-sonar-plugin/pull/894/files#diff-ce8ce310fb93461c861183d57d10967a8bf3d7a2de59aa4053436ef5ef661817R38-R41
It seems that in the current code the score of CVSS and SonarQube has been mixed.
Reamer
commented
8 months ago I think that makes sense, doesn't it?
NIGCH
commented
8 months ago I think that makes sense, doesn't it?
Yes, thanks, it looks good to me. Is the compatibility entry I've added correct?
Reamer
commented
8 months ago I think that makes sense, doesn't it?
Yes, thanks, it looks good to me. Is the compatibility entry I've added correct?
Looks good.
NIGCH
commented
8 months ago Thank you @Reamer - much appreciated.
Reamer
commented
8 months ago Thank you very much for your work. Is there any more code from the first pull request https://github.com/dependency-check/dependency-check-sonar-plugin/pull/894?
NIGCH
commented
8 months ago No, that's everything.
A tentative fix for https://github.com/dependency-check/dependency-check-sonar-plugin/issues/870.
A change to DependencyCheckUtils.severityToScore() also appears to be needed to always use the CVSS scores in the specification to map a severity string to a CVSS score, rather than the configurable thresholds which determine how CVSS scores map to SonarQube severities. However, this will be addressed in a later pull request.