Skip to content

OSSIndexAnalyzer cannot parse CVSSv4 data from vector string with non-default Provider Urgency Type #8376

New issue
New issue
Open
Bug
#8377
Open
OSSIndexAnalyzer cannot parse CVSSv4 data from vector string with non-default Provider Urgency Type#8376
Bug
#8377
Assignees
chadlwilson
Labels
bugossindexLabel for issues that relate to the OSSIndex API
@chadlwilson

Description

@chadlwilson
chadlwilson
opened on Mar 19, 2026

Precondition

  • I checked the issues list for existing open or closed reports of the same problem.

Describe the bug
As noted at jeremylong/open-vulnerability-clients#100 (comment) ODC cannot parse CVSSv4 vector strings when the Provider Urgency Type is set to Clear|Green|Amber|Red per the spec, e.g CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/S:N/AU:Y/R:A/V:D/RE:L/U:Amber

Version of dependency-check used
12.2.0

Log file

13:35:18  Failed to fetch component-report for: pkg:maven/com.vaadin/flow-server@23.2.1
13:35:18  java.lang.IllegalArgumentException: Amber
13:35:18  	at io.github.jeremylong.openvulnerability.client.nvd.CvssV4Data$ProviderUrgencyType.fromValue(CvssV4Data.java:2047)
13:35:18  	at org.owasp.dependencycheck.utils.CvssUtil.vectorToCvssV4(CvssUtil.java:301)
13:35:18  	at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.transform(OssIndexAnalyzer.java:345)
13:35:18  	at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.lambda$enrich$4(OssIndexAnalyzer.java:287)
13:35:18  	at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
13:35:18  	at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625)
13:35:18  	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509)
13:35:18  	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
13:35:18  	at java.base/java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:150)
13:35:18  	at java.base/java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:173)
13:35:18  	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
13:35:18  	at java.base/java.util.stream.ReferencePipeline.forEachOrdered(ReferencePipeline.java:601)
13:35:18  	at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.enrich(OssIndexAnalyzer.java:288)
13:35:18  	at org.owasp.dependencycheck.analyzer.OssIndexAnalyzer.analyzeDependency(OssIndexAnalyzer.java:196)
13:35:18  	at org.owasp.dependencycheck.analyzer.AbstractAnalyzer.analyze(AbstractAnalyzer.java:131)
13:35:18  	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:88)
13:35:18  	at org.owasp.dependencycheck.AnalysisTask.call(AnalysisTask.java:37)
13:35:18  	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
13:35:18  	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
13:35:18  	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
13:35:18  	at java.base/java.lang.Thread.run(Thread.java:840)

To Reproduce

  1. Create a Java/maven project containing com.vaadin:flow-server:23.2.1
  2. Enable OSSIndex scanning with OSSIndex credentials
  3. Scan

Expected behavior
Should be able to parse and highlight CVE-2026-2742.

https://ossindex.sonatype.org/vulnerability/CVE-2026-2742?component-type=maven&component-name=com.vaadin/flow-server (login required)
GHSA-rjgh-wgc7-m37j

Additional context
See jeremylong/open-vulnerability-clients#100 (comment) for the root cause; as raised by @thomasredlin

Raising this as a tracking issue, as ODC will need to update open-vulnerability-clients after jeremylong/open-vulnerability-clients#101 or similar fix is merged.

Metadata

Metadata

Assignees

Labels

bugossindexLabel for issues that relate to the OSSIndex API

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions