Critical CVEs only get C rating instead of E

[isaguimiot]

Describe the bug Since we moved to sonar 10 and dependency check plugin 5, critical CVEs don't seem to be taken as "high impact on security", but only "medium impact". On the previous version, having one critical CVE was giving an E security rating. Now, with the same CVE, the project has a C security rating.

To Reproduce Just run an audit on a project with a critically vulnerable dependency (for instance, spring-boot-2.7.10.jar, which is linked to the vulnerability CVE-2023-20873)

Current behavior The project has a C security rating.

Expected behavior The project should have an E security rating.

Versions (please complete the following information):

• dependency-check : any 9.x
• sonarqube ; 10.6
• dependency-check-sonar-plugin : 5.0.0

[gothikieros]

I have been watching this thread waiting for an update because i have stumbled in the same issue. It would seem that the plugin correctly aggregates the 5 categories into SonarQube's new 3, since I see the same number of vulnerabilities detected on all the projects as in the older installation.

I have tried to artificially alter the scale from settings to have only Low or only High to see if the rating will change but it stayed stuck on C. Even with 4 Critical/Blocker (a.k.a. High) Issues.

Is there any update on this?