Skip to content

Commit

Permalink
fix(osv): Improve error handling a bit
Browse files Browse the repository at this point in the history
In particular, do not throw on CVSS version 4 vectors.

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
  • Loading branch information
sschuberth committed Sep 13, 2024
1 parent 8a334fc commit ed3661d
Showing 1 changed file with 9 additions and 2 deletions.
11 changes: 9 additions & 2 deletions plugins/advisors/osv/src/main/kotlin/Osv.kt
Original file line number Diff line number Diff line change
Expand Up @@ -194,13 +194,20 @@ private fun Vulnerability.toOrtVulnerability(): org.ossreviewtoolkit.model.vulne
val url = reference.url.trim().let { if (it.startsWith("://")) "https$it" else it }

url.toUri().onFailure {
logger.debug { "Could not parse reference URL for vulnerability '$id': ${it.message}." }
logger.debug { "Could not parse reference URL for vulnerability '$id': ${it.collectMessages()}." }
}.map {
// Use the 'severity' property of the unspecified 'databaseSpecific' object.
// See also https://github.com/google/osv.dev/issues/484.
val specificSeverity = databaseSpecific?.get("severity")

val baseScore = Cvss.fromVector(severity)?.calculateScore()?.baseScore?.toFloat()
// Note that the CVSS Calculator does not support CVSS 4.0 yet:
// https://github.com/stevespringett/cvss-calculator/issues/78
val baseScore = runCatching {
Cvss.fromVector(severity)?.calculateScore()?.baseScore?.toFloat()
}.onFailure {
logger.debug { "Unable to parse CVSS vector '$severity': ${it.collectMessages()}." }
}.getOrNull()

val severityRating = (specificSeverity as? JsonPrimitive)?.contentOrNull
?: VulnerabilityReference.getSeverityRating(scoringSystem, baseScore)

Expand Down

0 comments on commit ed3661d

Please sign in to comment.