feat(rules): Add CVSS 3.1/4 to high vulnerability

tsteenbe · tsteenbe · commit f5de4535e877 · 2024-06-04T01:37:57.000+02:00
Prior to this change a package with a high severity vulnerability
encoded in CVSS 3.1 or 4.0 would not trigger a policy rule violation.

Signed-off-by: Thomas Steenbergen &lt;opensource@steenbe.nl&gt;
diff --git a/evaluator.rules.kts b/evaluator.rules.kts
@@ -1551,6 +1551,12 @@ fun RuleSet.vulnerabilityWithHighSeverityInDependencyRule() = packageRule("HIGH_
             },
             hasVulnerability(maxAcceptedSeverity, "CVSS:3") { value, threshold ->
                 value.toFloat() >= threshold.toFloat()
+            },
+            hasVulnerability(maxAcceptedSeverity, "CVSS:3.1") { value, threshold ->
+                value.toFloat() >= threshold.toFloat()
+            },
+            hasVulnerability(maxAcceptedSeverity, "CVSS:4.0") { value, threshold ->
+                value.toFloat() >= threshold.toFloat()
             }
         )
     }

Original file line number	Diff line number	Diff line change
`@@ -1551,6 +1551,12 @@ fun RuleSet.vulnerabilityWithHighSeverityInDependencyRule() = packageRule("HIGH_`
`1551`	`1551`	`},`
`1552`	`1552`	`hasVulnerability(maxAcceptedSeverity, "CVSS:3") { value, threshold ->`
`1553`	`1553`	`value.toFloat() >= threshold.toFloat()`
	`1554`	`+ },`
	`1555`	`+ hasVulnerability(maxAcceptedSeverity, "CVSS:3.1") { value, threshold ->`
	`1556`	`+ value.toFloat() >= threshold.toFloat()`
	`1557`	`+ },`
	`1558`	`+ hasVulnerability(maxAcceptedSeverity, "CVSS:4.0") { value, threshold ->`
	`1559`	`+ value.toFloat() >= threshold.toFloat()`
`1554`	`1560`	`}`
`1555`	`1561`	`)`
`1556`	`1562`	`}`