anastasia-vanriet
commented
1 year ago Hi @supermaurio,
Thank you for bringing this to our attention, and apologies for the delayed response. A bug ticket has been filed, and we hope to address this very soon.
The api endpoint at https://ossindex.sonatype.org/api/v3/component-report returns a CVSSv3.1 vector, but the library ossindex-service-client defaults to "CVSSv2" because it does not start with "CVSSv3.0":
https://github.com/sonatype/ossindex-public/blob/12b5be01359a00dece8caa866a76318ca37ae15f/api/src/main/java/org/sonatype/ossindex/service/api/cvss/CvssVectorFactory.java#L34-L37
This bug results in the following issue over at OWASP dependency check: https://github.com/jeremylong/DependencyCheck/issues/5598