From fd1fd6f2d3eac9b73f125401c3dbb254e467de01 Mon Sep 17 00:00:00 2001
From: Niklas <nscuro@protonmail.com>
Date: Fri, 7 Jun 2024 12:21:41 +0200
Subject: [PATCH] Fix CVSS and OWASP RR vectors missing from
 `PROJECT_VULN_ANALYSIS_COMPLETE` notifications (#699)

---
 .../persistence/jdbi/NotificationSubjectDao.java | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/dependencytrack/persistence/jdbi/NotificationSubjectDao.java b/src/main/java/org/dependencytrack/persistence/jdbi/NotificationSubjectDao.java
index 234dcdf0a..56f08d9a8 100644
--- a/src/main/java/org/dependencytrack/persistence/jdbi/NotificationSubjectDao.java
+++ b/src/main/java/org/dependencytrack/persistence/jdbi/NotificationSubjectDao.java
@@ -111,7 +111,7 @@ public interface NotificationSubjectDao extends SqlObject {
               CASE
                 WHEN "A"."SEVERITY" IS NOT NULL THEN "A"."CVSSV3VECTOR"
                 ELSE "V"."CVSSV3VECTOR"
-              END                              AS "vulnCvssV3Vector",              
+              END                              AS "vulnCvssV3Vector",
               -- TODO: Analysis only has a single score, but OWASP RR defines multiple.
               --  How to handle this?
               CASE
@@ -344,7 +344,7 @@ LEFT JOIN LATERAL (
               END                              AS "vulnCvssV2Vector",
               CASE
                 WHEN "A"."SEVERITY" IS NOT NULL THEN "A"."CVSSV3VECTOR"
-                ELSE "V"."CVSSV3VECTOR"        
+                ELSE "V"."CVSSV3VECTOR"
               END                              AS "vulnCvssV3Vector",
               -- TODO: Analysis only has a single score, but OWASP RR defines multiple.
               --  How to handle this?
@@ -493,6 +493,14 @@ default Optional<ProjectVulnAnalysisCompleteSubject> getForProjectVulnAnalysisCo
                                     THEN "A"."CVSSV3SCORE"
                                     ELSE "V"."CVSSV3BASESCORE"
                                END AS "vulnCvssV3BaseScore"
+                             , CASE WHEN "A"."SEVERITY" IS NOT NULL
+                                    THEN "A"."CVSSV2VECTOR"
+                                    ELSE "V"."CVSSV2VECTOR"
+                               END AS "vulnCvssV2Vector"
+                             , CASE WHEN "A"."SEVERITY" IS NOT NULL
+                                    THEN "A"."CVSSV3VECTOR"
+                                    ELSE "V"."CVSSV3VECTOR"
+                               END AS "vulnCvssV3Vector"
                               -- TODO: Analysis only has a single score, but OWASP RR defines multiple.
                               --  How to handle this?
                              , CASE WHEN "A"."SEVERITY" IS NOT NULL
@@ -507,6 +515,10 @@ default Optional<ProjectVulnAnalysisCompleteSubject> getForProjectVulnAnalysisCo
                                     THEN "A"."OWASPSCORE"
                                     ELSE "V"."OWASPRRTECHNICALIMPACTSCORE"
                                END AS "vulnOwaspRrTechnicalImpactScore"
+                             , CASE WHEN "A"."SEVERITY" IS NOT NULL
+                                    THEN "A"."OWASPVECTOR"
+                                    ELSE "V"."OWASPRRVECTOR"
+                               END AS "vulnOwaspRrVector"
                              , "CALC_SEVERITY"("V"."SEVERITY", "A"."SEVERITY", "V"."CVSSV3BASESCORE", "V"."CVSSV2BASESCORE") AS "vulnSeverity"
                              , STRING_TO_ARRAY("V"."CWES", ',') AS "vulnCwes"
                              , "vulnAliasesJson"