search

vaadin / appsec-kit

Other
1 stars 0 forks source link

us.springett.cvss.MalformedVectorException comes with 3.2.2 #181

Closed dex-ds closed 3 months ago

dex-ds commented 3 months ago

CvssV2.class image image

Caused by: us.springett.cvss.MalformedVectorException: Unknown metric: CVSS at us.springett.cvss.CvssV2$Parser.parseVector(CvssV2.java:321) at us.springett.cvss.CvssV2$Parser.parseVector(CvssV2.java:246) at us.springett.cvss.Cvss.fromVector(Cvss.java:51) at com.vaadin.appsec.backend.AppSecDTOProvider.lambda$getHighestCvssScoreNumber$5(AppSecDTOProvider.java:354) at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1708) at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509) at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921) at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) at java.base/java.util.stream.ReferencePipeline.reduce(ReferencePipeline.java:662) at java.base/java.util.stream.ReferencePipeline.max(ReferencePipeline.java:698) at com.vaadin.appsec.backend.AppSecDTOProvider.getHighestCvssScoreNumber(AppSecDTOProvider.java:357) at com.vaadin.appsec.backend.AppSecDTOProvider.findSeverityIfHigher(AppSecDTOProvider.java:333) at com.vaadin.appsec.backend.AppSecDTOProvider.updateVulnerabilityStatistics(AppSecDTOProvider.java:309) at com.vaadin.appsec.backend.AppSecDTOProvider.lambda$getDependencies$3(AppSecDTOProvider.java:104) at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197) at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1708) at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509) at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:575) at java.base/java.util.stream.AbstractPipeline.evaluateToArrayNode(AbstractPipeline.java:260) at java.base/java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:616) at java.base/java.util.stream.ReferencePipeline.toArray(ReferencePipeline.java:622) at java.base/java.util.stream.ReferencePipeline.toList(ReferencePipeline.java:627) at com.vaadin.appsec.backend.AppSecDTOProvider.getDependencies(AppSecDTOProvider.java:107) at com.vaadin.appsec.backend.AppSecService.getDependencies(AppSecService.java:308) at com.vaadin.appsec.views.DependenciesView.configureSearchField(DependenciesView.java:189) at com.vaadin.appsec.views.DependenciesView.(DependenciesView.java:70) at com.vaadin.appsec.views.AppSecView.buildTabSheet(AppSecView.java:124) at com.vaadin.appsec.views.AppSecView.buildLayout(AppSecView.java:75) at com.vaadin.appsec.views.AppSecView.(AppSecView.java:59)

tamasmak commented 3 months ago

Thanks for reporting, we are checking the issue.

dex-ds commented 3 months ago

Sample with more detail OpenSourceVulnerability{schemaVersion='1.6.0', id='GHSA-m5vv-6r4h-3vj9', modified=Mon Jul 08 17:00:15 CEST 2024, published=Tue Jun 11 20:30:50 CEST 2024, withdrawn=null, aliases=null, severity=[Severity{type=CVSS_V3, score='CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}, Severity{type=CVSS_V4, score='CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}], affected=[Affected{aPackage=Package{ecosystem='PyPI', name='azure-identity', purl='pkg:pypi/azure-identity'}, ranges=[Range{type=ECOSYSTEM, repo='null', events=[Event{additionalProperties={introduced=0}}, Event{additionalProperties={fixed=1.16.1}}]}]}, Affected{aPackage=Package{ecosystem='npm', name='@azure/identity', purl='pkg:npm/%40azure/identity'}, ranges=[Range{type=SEMVER, repo='null', events=[Event{additionalProperties={introduced=0}}, Event{additionalProperties={fixed=4.2.1}}]}]}, Affected{aPackage=Package{ecosystem='Maven', name='com.azure:azure-identity', purl='pkg:maven/com.azure/azure-identity'}, ranges=[Range{type=ECOSYSTEM, repo='null', events=[Event{additionalProperties={introduced=0}}, Event{additionalProperties={fixed=1.12.2}}]}]}, Affected{aPackage=Package{ecosystem='npm', name='@azure/msal-node', purl='pkg:npm/%40azure/msal-node'}, ranges=[Range{type=SEMVER, repo='null', events=[Event{additionalProperties={introduced=2.7.0}}, Event{additionalProperties={fixed=2.9.2}}]}]}, Affected{aPackage=Package{ecosystem='NuGet', name='Microsoft.Identity.Client', purl='pkg:nuget/Microsoft.Identity.Client'}, ranges=[Range{type=ECOSYSTEM, repo='null', events=[Event{additionalProperties={introduced=4.49.1}}, Event{additionalProperties={fixed=4.60.4}}]}]}, Affected{aPackage=Package{ecosystem='Go', name='github.com/Azure/azure-sdk-for-go/sdk/azidentity', purl='pkg:golang/github.com/Azure/azure-sdk-for-go/sdk/azidentity'}, ranges=[Range{type=SEMVER, repo='null', events=[Event{additionalProperties={introduced=0}}, Event{additionalProperties={fixed=1.6.0}}]}]}, Affected{aPackage=Package{ecosystem='Maven', name='com.microsoft.azure:msal4j', purl='pkg:maven/com.microsoft.azure/msal4j'}, ranges=[Range{type=ECOSYSTEM, repo='null', events=[Event{additionalProperties={introduced=1.14.4-beta}}, Event{additionalProperties={fixed=1.15.1}}]}]}, Affected{aPackage=Package{ecosystem='NuGet', name='Azure.Identity', purl='pkg:nuget/Azure.Identity'}, ranges=[Range{type=ECOSYSTEM, repo='null', events=[Event{additionalProperties={introduced=0}}, Event{additionalProperties={fixed=1.11.4}}]}]}, Affected{aPackage=Package{ecosystem='NuGet', name='Microsoft.Identity.Client', purl='pkg:nuget/Microsoft.Identity.Client'}, ranges=[Range{type=ECOSYSTEM, repo='null', events=[Event{additionalProperties={introduced=4.61.0}}, Event{additionalProperties={fixed=4.61.3}}]}]}]}

tamasmak commented 3 months ago

@dex-ds The 3.2.3 release contains the fix for this issue.