Open Grimoren opened 11 months ago
The current state of the cve: https://nvd.nist.gov/vuln/detail/CVE-2023-45960
N/A is only applicable to CVSS v2 score, and NVD has opted to no longer compute CVSSv2: https://nvd.nist.gov/general/news/retire-cvss-v2 so that for newer CVEs you're likely to find only N/A as CVSS v2 score in NVD data.
Dependency-check uses the CVVSSv3 score when available when CVSS v2 is absent and a cvss threshold is set. That behavior was deliberately put in when CVSSv3 was introduced as CVSSv2's successor.
Describe the bug A clear and concise description of what the bug is. It seems N/A scores are considered higher than 7 when using the failOnBuild score of 7 or higher.
Version of dependency-check used The problem occurs using version 8.4.2 of the gradle plugin (cli, gradle plugin, maven plugin, etc.)
Log file When reporting errors, 99% of the time log file output is required. Please post the log file as a gist and provide a link in the new issue.
(https://gist.github.com/Grimoren/190a865440d900e9345674df97d4d8b8)
To Reproduce Steps to reproduce the behavior:
Expected behavior A clear and concise description of what you expected to happen. Build should pass without failure.
Additional context Add any other context about the problem here.