Merge pull request #3595 from LaVibeX/VulnDbSeverity

Vuln db severity

src/main/java/org/dependencytrack/parser/vulndb/ModelConverter.java

@@ -30,7 +30,6 @@
 import org.dependencytrack.parser.vulndb.model.ExternalReference;
 import org.dependencytrack.persistence.QueryManager;
 import org.dependencytrack.util.VulnerabilityUtil;
-
 import us.springett.cvss.CvssV2;
 import us.springett.cvss.CvssV3;
 import us.springett.cvss.Score;
@@ -167,6 +166,13 @@ public static Vulnerability convert(final QueryManager qm, final org.dependencyt
  break; // Always prefer use of the NVD scoring, if available
  }
  }
+ vuln.setSeverity(VulnerabilityUtil.getSeverity(
+ vuln.getCvssV2BaseScore(),
+ vuln.getCvssV3BaseScore(),
+ vuln.getOwaspRRLikelihoodScore(),
+ vuln.getOwaspRRTechnicalImpactScore(),
+ vuln.getOwaspRRBusinessImpactScore()
+ ));
 
  if (vulnDbVuln.nvdAdditionalInfo() != null) {
  final String cweString = vulnDbVuln.nvdAdditionalInfo().cweId();

src/main/java/org/dependencytrack/tasks/metrics/ComponentMetricsUpdateTask.java

@@ -97,12 +97,17 @@ static Counters updateMetrics(final UUID uuid) throws Exception {
 
  counters.vulnerabilities++;
 
- switch (vulnerability.getSeverity()) {
- case CRITICAL -> counters.critical++;
- case HIGH -> counters.high++;
- case MEDIUM -> counters.medium++;
- case LOW, INFO -> counters.low++;
- case UNASSIGNED -> counters.unassigned++;
+ if (vulnerability.getSeverity() == null) {
+ LOGGER.warn("Vulnerability severity is " + vulnerability.getSeverity()+ " null for " + vulnerability.getSource() + "|" + vulnerability.getVulnId());
+ }
+ else {
+ switch (vulnerability.getSeverity()) {
+ case CRITICAL -> counters.critical++;
+ case HIGH -> counters.high++;
+ case MEDIUM -> counters.medium++;
+ case LOW, INFO -> counters.low++;
+ case UNASSIGNED -> counters.unassigned++;
+ }
  }
  }