Fix CVSS and OWASP RR vectors missing from `PROJECT_VULN_ANALYSIS_COM…

…PLETE` notifications (#699)
DependencyTrack · Jun 7, 2024 · fd1fd6f · fd1fd6f
1 parent 5580c72
commit fd1fd6f
Showing 1 changed file with 14 additions and 2 deletions.
diff --git a/src/main/java/org/dependencytrack/persistence/jdbi/NotificationSubjectDao.java b/src/main/java/org/dependencytrack/persistence/jdbi/NotificationSubjectDao.java
@@ -111,7 +111,7 @@ public interface NotificationSubjectDao extends SqlObject {
               CASE
                 WHEN "A"."SEVERITY" IS NOT NULL THEN "A"."CVSSV3VECTOR"
                 ELSE "V"."CVSSV3VECTOR"
-              END                              AS "vulnCvssV3Vector",              
+              END                              AS "vulnCvssV3Vector",
               -- TODO: Analysis only has a single score, but OWASP RR defines multiple.
               --  How to handle this?
               CASE
@@ -344,7 +344,7 @@ LEFT JOIN LATERAL (
               END                              AS "vulnCvssV2Vector",
               CASE
                 WHEN "A"."SEVERITY" IS NOT NULL THEN "A"."CVSSV3VECTOR"
-                ELSE "V"."CVSSV3VECTOR"        
+                ELSE "V"."CVSSV3VECTOR"
               END                              AS "vulnCvssV3Vector",
               -- TODO: Analysis only has a single score, but OWASP RR defines multiple.
               --  How to handle this?
@@ -493,6 +493,14 @@ default Optional<ProjectVulnAnalysisCompleteSubject> getForProjectVulnAnalysisCo
                                     THEN "A"."CVSSV3SCORE"
                                     ELSE "V"."CVSSV3BASESCORE"
                                END AS "vulnCvssV3BaseScore"
+                             , CASE WHEN "A"."SEVERITY" IS NOT NULL
+                                    THEN "A"."CVSSV2VECTOR"
+                                    ELSE "V"."CVSSV2VECTOR"
+                               END AS "vulnCvssV2Vector"
+                             , CASE WHEN "A"."SEVERITY" IS NOT NULL
+                                    THEN "A"."CVSSV3VECTOR"
+                                    ELSE "V"."CVSSV3VECTOR"
+                               END AS "vulnCvssV3Vector"
                               -- TODO: Analysis only has a single score, but OWASP RR defines multiple.
                               --  How to handle this?
                              , CASE WHEN "A"."SEVERITY" IS NOT NULL
@@ -507,6 +515,10 @@ default Optional<ProjectVulnAnalysisCompleteSubject> getForProjectVulnAnalysisCo
                                     THEN "A"."OWASPSCORE"
                                     ELSE "V"."OWASPRRTECHNICALIMPACTSCORE"
                                END AS "vulnOwaspRrTechnicalImpactScore"
+                             , CASE WHEN "A"."SEVERITY" IS NOT NULL
+                                    THEN "A"."OWASPVECTOR"
+                                    ELSE "V"."OWASPRRVECTOR"
+                               END AS "vulnOwaspRrVector"
                              , "CALC_SEVERITY"("V"."SEVERITY", "A"."SEVERITY", "V"."CVSSV3BASESCORE", "V"."CVSSV2BASESCORE") AS "vulnSeverity"
                              , STRING_TO_ARRAY("V"."CWES", ',') AS "vulnCwes"
                              , "vulnAliasesJson"