updated bundle audit score to be more accurate

2026-03-25 02:21:28 +01:00 · 2016-05-01 15:39:12 -04:00
parent d0ca800a23
commit 7a2e1fd221
1 changed files with 16 additions and 16 deletions
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
@@ -314,23 +314,23 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
    private void addCriticalityToVulnerability(String parentName, Vulnerability vulnerability, String nextLine) {
        if (null != vulnerability) {
            final String criticality = nextLine.substring(CRITICALITY.length()).trim();
-            if ("High".equals(criticality)) {
+            float score = -1.0f;
-                vulnerability.setCvssScore(8.5f);
+            Vulnerability v = null;
            } else if ("Medium".equals(criticality)) {
                vulnerability.setCvssScore(5.5f);
            } else if ("Low".equals(criticality)) {
                vulnerability.setCvssScore(2.0f);
            } else {
            try {
-                    //TODO wouldn't we want to do this for all items from bundle-audit? This
+                v = cvedb.getVulnerability(vulnerability.getName());
                    //should give a more correct CVSS
                     Vulnerability v = cvedb.getVulnerability(vulnerability.getName());
                     vulnerability.setCvssScore(v.getCvssScore());
            } catch (DatabaseException ex) {
-                    vulnerability.setCvssScore(-1.0f);
+                LOGGER.debug("Unable to look up vulnerability {}", vulnerability.getName());
                    LOGGER.debug("Unable to look up vulnerability {}",vulnerability.getName());
            }
            if (v != null) {
                score = v.getCvssScore();
            } else if ("High".equalsIgnoreCase(criticality)) {
                score = 8.5f;
            } else if ("Medium".equalsIgnoreCase(criticality)) {
                score = 5.5f;
            } else if ("Low".equalsIgnoreCase(criticality)) {
                score = 2.0f;
            }
            vulnerability.setCvssScore(score);
        }
        LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
    }