aikebah
commented
2 days ago Most likely there is a textual base score of HIGH in a vulnerability-source without a CVSSv2 or v3 score. These textual only scores are evaluated as the top of the CVSS v2HIGH range (6.9-10) to avoid a risk off under-scoring
Describe the bug Dependency Check CLI build fails even if the Base Score: HIGH when set --failOnCVSS=9 which should fail builds when there are critical issues. This happens for ex:
braces:3.0.2 which is a npm package and it has CVE-2024-4068 and base score of HIGH (7.5) along with the same lib has the same advisory from github which is GHSA-grv7-fg5c-xmjg
Same with other libraries if it has both CVE and same advisory from Github with HIGH base score
Version of dependency-check used dependency-check latest version
Expected behavior Build should not be failed on HIGH Base score when --failOnCVSS=9 is failed