NA scored CVEs are considered higher than 7 when using failBuildOnCVSS .

[Grimoren]

Describe the bug A clear and concise description of what the bug is. It seems N/A scores are considered higher than 7 when using the failOnBuild score of 7 or higher.

Version of dependency-check used The problem occurs using version 8.4.2 of the gradle plugin (cli, gradle plugin, maven plugin, etc.)

Log file When reporting errors, 99% of the time log file output is required. Please post the log file as a gist and provide a link in the new issue.

     * What went wrong:
     Execution failed for task ':dependencyCheckAggregate'.

     Dependency-Analyze Failure:
     One or more dependencies were identified with vulnerabilities that have a CVSS score greater than '7.0': CVE-2023-45960
     See the dependency-check report for more details.

(https://gist.github.com/Grimoren/190a865440d900e9345674df97d4d8b8)

To Reproduce Steps to reproduce the behavior:

1. add org.dom4j:dom4j:2.1.4 to runtime/compileClasspaths
2. add fail dependencyCheck.failBuildOnCVSS = 7
3. run dependencyCheckAggregate

Expected behavior A clear and concise description of what you expected to happen. Build should pass without failure.

Additional context Add any other context about the problem here.

[Grimoren]

The current state of the cve: https://nvd.nist.gov/vuln/detail/CVE-2023-45960

[aikebah]

N/A is only applicable to CVSS v2 score, and NVD has opted to no longer compute CVSSv2: https://nvd.nist.gov/general/news/retire-cvss-v2 so that for newer CVEs you're likely to find only N/A as CVSS v2 score in NVD data.

Dependency-check uses the CVVSSv3 score when available when CVSS v2 is absent and a cvss threshold is set. That behavior was deliberately put in when CVSSv3 was introduced as CVSSv2's successor.