Description
CVSS v4 ratings missing from CycloneDX vulnerability output
Steps to Reproduce
- Create a
pom.xml with a dependency on com.fasterxml.jackson.core:jackson-core:2.18.5
- Run
trivy filesystem . --scanners vuln --format json — CVSS v4 score is present
- Run
trivy filesystem . --scanners vuln --format cyclonedx — ratings is empty
Actual Behavior
"vulnerabilities": [
{
"id": "GHSA-72hv-8253-57qq",
"ratings": [],
...
}
]
Expected Behavior
"vulnerabilities": [
{
"id": "GHSA-72hv-8253-57qq",
"ratings": [
{
"source": { "name": "ghsa" },
"score": 8.7,
"method": "CVSSv4",
"severity": "high",
"vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
}
],
...
}
]
Root Cause
The ratings() method in pkg/sbom/cyclonedx/marshal.go handles CVSS v2 and v3, but does not handle CVSS v4:
if cvss, ok := vuln.CVSS[sourceID]; ok {
if cvss.V2Score != 0 || cvss.V2Vector != "" {
rates = append(rates, m.ratingV2(sourceID, severity, cvss))
}
if cvss.V3Score != 0 || cvss.V3Vector != "" {
rates = append(rates, m.ratingV3(sourceID, severity, cvss))
}
// V40Score / V40Vector are never checked → ratings stays empty
}
When a vulnerability has only V40Score/V40Vector, the if cvss, ok branch is entered (CVSS entry exists), but neither the v2 nor the v3 condition is satisfied, and the else fallback (severity-only rating) is never reached. Result:
ratings: [].
Both prerequisites for a fix are already in place:
trivy-db CVSS struct already has V40Score and V40Vector fields
cyclonedx-go v0.10.0 already defines ScoringMethodCVSSv4 = "CVSSv4", which is supported in CycloneDX spec 1.5+ (Trivy defaults to 1.6)
Related discussion:
Description
CVSS v4 ratings missing from CycloneDX vulnerability output
Steps to Reproduce
pom.xmlwith a dependency oncom.fasterxml.jackson.core:jackson-core:2.18.5trivy filesystem . --scanners vuln --format json— CVSS v4 score is presenttrivy filesystem . --scanners vuln --format cyclonedx—ratingsis emptyActual Behavior
Expected Behavior
Root Cause
The
ratings()method inpkg/sbom/cyclonedx/marshal.gohandles CVSS v2 and v3, but does not handle CVSS v4:When a vulnerability has only
V40Score/V40Vector, theif cvss, okbranch is entered (CVSS entry exists), but neither the v2 nor the v3 condition is satisfied, and theelsefallback (severity-only rating) is never reached. Result:ratings: [].Both prerequisites for a fix are already in place:
trivy-dbCVSSstruct already hasV40ScoreandV40Vectorfieldscyclonedx-go v0.10.0already definesScoringMethodCVSSv4 = "CVSSv4", which is supported in CycloneDX spec 1.5+ (Trivy defaults to 1.6)Related discussion: