cvss4: model + parsers

Author: valentijnscholten

dojo/db_migrations/0234_finding_cvssv4_finding_cvssv4_score.py

@@ -0,0 +1,25 @@
+# Generated by Django 5.1.8 on 2025-07-06 07:25
+
+import django.core.validators
+import dojo.validators
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('dojo', '0233_remove_test_actual_time_remove_test_estimated_time'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='finding',
+            name='cvssv4',
+            field=models.TextField(help_text='Common Vulnerability Scoring System version 4 (CVSSv4) score associated with this finding.', max_length=117, null=True, validators=[dojo.validators.cvss4_validator], verbose_name='CVSS v4 vector'),
+        ),
+        migrations.AddField(
+            model_name='finding',
+            name='cvssv4_score',
+            field=models.FloatField(blank=True, help_text='Numerical CVSSv4 score for the vulnerability. If the vector is given, the score is updated while saving the finding. The value must be between 0-10.', null=True, validators=[django.core.validators.MinValueValidator(0.0), django.core.validators.MaxValueValidator(10.0)], verbose_name='CVSSv4 score'),
+        ),
+    ]

dojo/models.py

@@ -43,7 +43,7 @@
 from tagulous.models import TagField
 from tagulous.models.managers import FakeTagRelatedManager
 
-from dojo.validators import cvss3_validator
+from dojo.validators import cvss3_validator, cvss4_validator
 
 logger = logging.getLogger(__name__)
 deduplicationLogger = logging.getLogger("dojo.specific-loggers.deduplication")
@@ -2356,6 +2356,17 @@ class Finding(models.Model):
                                         help_text=_("Numerical CVSSv3 score for the vulnerability. If the vector is given, the score is updated while saving the finding. The value must be between 0-10."),
                                         validators=[MinValueValidator(0.0), MaxValueValidator(10.0)])
 
+    cvssv4 = models.TextField(validators=[cvss4_validator],
+                              max_length=117,
+                              null=True,
+                              verbose_name=_("CVSS v4 vector"),
+                              help_text=_("Common Vulnerability Scoring System version 4 (CVSSv4) score associated with this finding."))
+    cvssv4_score = models.FloatField(null=True,
+                                        blank=True,
+                                        verbose_name=_("CVSSv4 score"),
+                                        help_text=_("Numerical CVSSv4 score for the vulnerability. If the vector is given, the score is updated while saving the finding. The value must be between 0-10."),
+                                        validators=[MinValueValidator(0.0), MaxValueValidator(10.0)])
+
     url = models.TextField(null=True,
                            blank=True,
                            editable=False,
@@ -2712,20 +2723,34 @@ def save(self, dedupe_option=True, rules_option=True, product_grading_option=Tru
         self.numerical_severity = Finding.get_numerical_severity(self.severity)
 
         # Synchronize cvssv3 score using cvssv3 vector
+
         if self.cvssv3:
             try:
-
                 cvss_data = parse_cvss_data(self.cvssv3)
                 if cvss_data:
-                    self.cvssv3 = cvss_data.get("vector")
-                    self.cvssv3_score = cvss_data.get("score")
+                    self.cvssv3 = cvss_data.get("cvssv3")
+                    if not self.cvssv3_score:
+                        self.cvssv3_score = cvss_data.get("cvssv3_score")
 
             except Exception as ex:
                 logger.warning("Can't compute cvssv3 score for finding id %i. Invalid cvssv3 vector found: '%s'. Exception: %s.", self.id, self.cvssv3, ex)
                 # remove invalid cvssv3 vector for new findings, or should we just throw a ValidationError?
                 if self.pk is None:
                     self.cvssv3 = None
 
+        # behaviour for CVVS4 is slightly different. Extracting thsi into a method would lead to probabl hard to read code
+        if self.cvssv4:
+            try:
+                cvss_data = parse_cvss_data(self.cvssv4)
+                if cvss_data:
+                    self.cvssv4 = cvss_data.get("cvssv4_vector")
+                    if not self.cvssv4_score:
+                        self.cvssv4_score = cvss_data.get("cvssv4_score")
+
+            except Exception as ex:
+                logger.warning("Can't compute cvssv4 score for finding id %i. Invalid cvssv4 vector found: '%s'. Exception: %s.", self.id, self.cvssv4, ex)
+                self.cvssv4 = None
+
         self.set_hash_code(dedupe_option)
 
         if self.pk is None:

dojo/tools/appcheck_web_application_scanner/engines/base.py

@@ -307,6 +307,7 @@ def set_endpoints(self, finding: Finding, item: Any) -> None:
     #####
     def parse_cvss_vector(self, value: str) -> str | None:
         # CVSS4 vectors don't parse with the handy-danty parse method :(
+        # TODO: This needs a rewrite to use dojo.utils.parse_cvss_data
         try:
             if (severity := cvss.CVSS4(value).severity) in Finding.SEVERITIES:
                 return severity

dojo/tools/aqua/parser.py

@@ -226,8 +226,8 @@ def get_item(self, resource, vuln, test):
 
         cvss_data = parse_cvss_data(cvssv3)
         if cvss_data:
-            finding.cvssv3 = cvss_data.get("vector")
-            finding.cvssv3_score = cvss_data.get("score")
+            finding.cvssv3 = cvss_data.get("cvssv3")
+            finding.cvssv3_score = cvss_data.get("cvssv3_score")
 
         if vulnerability_id != "No CVE":
             finding.unsaved_vulnerability_ids = [vulnerability_id]

dojo/tools/auditjs/parser.py

@@ -1,49 +1,13 @@
 import json
+import logging
 import re
 from json.decoder import JSONDecodeError
 
 # import cvss.parser
-from cvss import CVSS2, CVSS3, CVSS4, CVSSError
-
 from dojo.models import Finding
+from dojo.utils import parse_cvss_data
 
-
-# TEMPORARY: Local implementation until the upstream PR is merged & released: https://github.com/RedHatProductSecurity/cvss/pull/75
-def parse_cvss_from_text(text):
-    """
-    Parses CVSS2, CVSS3, and CVSS4 vectors from arbitrary text and returns a list of CVSS objects.
-
-    Parses text for substrings that look similar to CVSS vector
-    and feeds these matches to CVSS constructor.
-
-    Args:
-        text (str): arbitrary text
-
-    Returns:
-        A list of CVSS objects.
-
-    """
-    # Looks for substrings that resemble CVSS2, CVSS3, or CVSS4 vectors.
-    # CVSS3 and CVSS4 vectors start with a 'CVSS:x.x/' prefix and are matched by the optional non-capturing group.
-    # CVSS2 vectors do not include a prefix and are matched by raw vector pattern only.
-    # Minimum total match length is 26 characters to reduce false positives.
-    matches = re.compile(r"(?:CVSS:[3-4]\.\d/)?[A-Za-z:/]{26,}").findall(text)
-
-    cvsss = set()
-    for match in matches:
-        try:
-            if match.startswith("CVSS:4."):
-                cvss = CVSS4(match)
-            elif match.startswith("CVSS:3."):
-                cvss = CVSS3(match)
-            else:
-                cvss = CVSS2(match)
-
-            cvsss.add(cvss)
-        except (CVSSError, KeyError):
-            pass
-
-    return list(cvsss)
+logger = logging.getLogger(__name__)
 
 
 class AuditJSParser:
@@ -107,7 +71,13 @@ def get_findings(self, filename, test):
                     ) = (
                         cvss_score
                     ) = (
-                        cvss_vector
+                        cvssv3
+                    ) = (
+                        cvssv4
+                    ) = (
+                        cvssv3_score
+                    ) = (
+                        cvssv4_score
                     ) = vulnerability_id = cwe = references = severity = None
                     # Check mandatory
                     if (
@@ -127,38 +97,20 @@ def get_findings(self, filename, test):
                         raise ValueError(msg)
                     if "cvssScore" in vulnerability:
                         cvss_score = vulnerability["cvssScore"]
-                    if "cvssVector" in vulnerability:
-                        cvss_vectors = parse_cvss_from_text(
-                            vulnerability["cvssVector"],
-                        )
-
-                        if len(cvss_vectors) > 0:
-                            vector_obj = cvss_vectors[0]
-
-                            if isinstance(vector_obj, CVSS4):
-                                description += "\nCVSS V4 Vector:" + vector_obj.clean_vector()
-                                severity = vector_obj.severities()[0]
-
-                            elif isinstance(vector_obj, CVSS3):
-                                cvss_vector = vector_obj.clean_vector()
-                                severity = vector_obj.severities()[0]
-
-                            elif isinstance(vector_obj, CVSS2):
-                                description += "\nCVSS V2 Vector:" + vector_obj.clean_vector()
-                                severity = vector_obj.severities()[0]
-
-                            else:
-                                msg = "Unsupported CVSS version detected in parser."
-                                raise ValueError(msg)
-                        else:
-                            # Explicitly raise an error if no CVSS vectors are found,
-                            # to avoid 'NoneType' errors during severity processing later.
-                            msg = "No CVSS vectors found. Please check that parse_cvss_from_text() correctly parses the provided cvssVector."
-                            raise ValueError(msg)
+                    cvss_data = parse_cvss_data(vulnerability.get("cvssVector"))
+                    if cvss_data:
+                        severity = cvss_data["severity"]
+                        cvssv3 = cvss_data["cvssv3"]
+                        cvssv4 = cvss_data["cvssv4"]
+                        # The score in the report can be different from what the cvss library calulates
+                        if cvss_data["major_version"] == 2:
+                            description += "\nCVSS V2 Vector:" + cvss_data["cvssv2"]
+                        if cvss_data["major_version"] == 3:
+                            cvssv3_score = cvss_score
+                        if cvss_data["major_version"] == 4:
+                            cvssv4_score = cvss_score
                     else:
-                        # If there is no vector, calculate severity based on
-                        # score and CVSS V3 (AuditJS does not always include
-                        # it)
+                        # If there is no vector, calculate severity based on CVSS score
                         severity = self.get_severity(cvss_score)
                     if "cve" in vulnerability:
                         vulnerability_id = vulnerability["cve"]
@@ -169,10 +121,12 @@ def get_findings(self, filename, test):
                         title=title,
                         test=test,
                         cwe=cwe,
-                        cvssv3=cvss_vector,
-                        cvssv3_score=cvss_score,
                         description=description,
                         severity=severity,
+                        cvssv3=cvssv3,
+                        cvssv3_score=cvssv3_score,
+                        cvssv4=cvssv4,
+                        cvssv4_score=cvssv4_score,
                         references=references,
                         file_path=file_path,
                         component_name=component_name,
@@ -181,6 +135,9 @@ def get_findings(self, filename, test):
                         dynamic_finding=False,
                         unique_id_from_tool=unique_id_from_tool,
                     )
+                    logger.debug("Finding fields:")
+                    for field, value in finding.__dict__.items():
+                        logger.debug("  %s: %r", field, value)
                     if vulnerability_id:
                         finding.unsaved_vulnerability_ids = [vulnerability_id]
 

dojo/tools/jfrog_xray_unified/parser.py

@@ -142,8 +142,8 @@ def get_item(vulnerability, test):
 
     cvss_data = parse_cvss_data(cvssv3)
     if cvss_data:
-        finding.cvssv3 = cvss_data.get("vector")
-        finding.cvssv3_score = cvss_data.get("score")
+        finding.cvssv3 = cvss_data.get("cvssv3")
+        finding.cvssv3_score = cvss_data.get("cvssv3_score")
 
     if vulnerability_id:
         finding.unsaved_vulnerability_ids = [vulnerability_id]

dojo/tools/npm_audit_7_plus/parser.py

@@ -169,8 +169,8 @@ def get_item(item_node, tree, test):
     if (cvssv3 is not None) and (len(cvssv3) > 0):
         cvss_data = parse_cvss_data(cvssv3)
         if cvss_data:
-            dojo_finding.cvssv3 = cvss_data.get("vector")
-            dojo_finding.cvssv3_score = cvss_data.get("score")
+            dojo_finding.cvssv3 = cvss_data.get("cvssv3")
+            dojo_finding.cvssv3_score = cvss_data.get("cvssv3_score")
 
     return dojo_finding
 

dojo/tools/ptart/assessment_parser.py

@@ -1,5 +1,6 @@
 import dojo.tools.ptart.ptart_parser_tools as ptart_tools
 from dojo.models import Finding
+from dojo.utils import parse_cvss_data
 
 
 class PTARTAssessmentParser:
@@ -43,10 +44,18 @@ def get_finding(self, assessment, hit):
             finding.vuln_id_from_tool = hit.get("id")
             finding.cve = hit.get("id")
 
-        # Clean up and parse the CVSS vector
-        cvss_vector = ptart_tools.parse_cvss_vector(hit, self.cvss_type)
+        cvss_vector = hit.get("cvss_vector", None)
+        cvss_score = hit.get("cvss_score", None)
         if cvss_vector:
-            finding.cvssv3 = cvss_vector
+            cvss_data = parse_cvss_data(cvss_vector)
+            if cvss_data:
+                finding.cvssv3 = cvss_data["cvssv3"]
+                finding.cvssv4 = cvss_data["cvssv4"]
+                # The score in the report can be different from what the cvss library calulates
+                if cvss_data["major_version"] == 3:
+                    finding.cvssv3_score = cvss_score
+                if cvss_data["major_version"] == 4:
+                    finding.cvssv4_score = cvss_score
 
         if "labels" in hit:
             finding.unsaved_tags = hit["labels"]

dojo/tools/ptart/ptart_parser_tools.py

@@ -62,6 +62,7 @@ def parse_cvss_vector(hit, cvss_type):
                 return c.clean_vector()
             except cvss.CVSS3Error:
                 return None
+
     return None
 
 

dojo/tools/ptart/retest_parser.py

@@ -1,5 +1,6 @@
 import dojo.tools.ptart.ptart_parser_tools as ptart_tools
 from dojo.models import Finding
+from dojo.utils import parse_cvss_data
 
 
 def generate_retest_hit_title(hit, original_hit):
@@ -16,13 +17,8 @@ def generate_retest_hit_title(hit, original_hit):
 
 
 class PTARTRetestParser:
-    def __init__(self):
-        self.cvss_type = None
-
     def get_test_data(self, tree):
-        self.cvss_type = None
         if "retests" in tree:
-            self.cvss_type = tree.get("cvss_type", None)
             retests = tree["retests"]
         else:
             return []
@@ -82,12 +78,18 @@ def get_finding(self, retest, hit):
             finding.vuln_id_from_tool = original_hit.get("id")
             finding.cve = original_hit.get("id")
 
-        cvss_vector = ptart_tools.parse_cvss_vector(
-            original_hit,
-            self.cvss_type,
-        )
+        cvss_vector = original_hit.get("cvss_vector", None)
+        cvss_score = original_hit.get("cvss_score", None)
         if cvss_vector:
-            finding.cvssv3 = cvss_vector
+            cvss_data = parse_cvss_data(cvss_vector)
+            if cvss_data:
+                finding.cvssv3 = cvss_data["cvssv3"]
+                finding.cvssv4 = cvss_data["cvssv4"]
+                # The score in the report can be different from what the cvss library calulates
+                if cvss_data["major_version"] == 3:
+                    finding.cvssv3_score = cvss_score
+                if cvss_data["major_version"] == 4:
+                    finding.cvssv4_score = cvss_score
 
         if "labels" in original_hit:
             finding.unsaved_tags = original_hit["labels"]