Describe the bug
Currently, the plugin does not correctly map vulnerability severity when SonarQube is configured in standard mode.
To Reproduce
Current behavior
The plugin relies on LOW/MEDIUM/HIGH severity levels, while SonarQube uses BLOCKER/CRITICAL/MAJOR/MINOR.
Additionally, CVSS v4 scores are not properly considered, leading to incorrect severity classification (e.g., CVSS v4 Critical vulnerabilities being reported as MEDIUM).
Expected behavior
The plugin should:
- Support CVSS v4 scoring
- Map severity according to SonarQube standard model:
CVSS v4 ≥ 9.0 → BLOCKER
CVSS v4 ≥ 7.0 → CRITICAL
CVSS v4 ≥ 4.0 → MAJOR
CVSS v4 < 4.0 → MINOR
- Optionally adapt behavior depending on SonarQube mode (Standard vs MQR)
Screenshots
Versions (please complete the following information):
- dependency-check 12.2.0
- sonarqube comunity 26.0
- dependency-check-sonar-plugin 6.0
Describe the bug
Currently, the plugin does not correctly map vulnerability severity when SonarQube is configured in standard mode.
To Reproduce
Current behavior
The plugin relies on LOW/MEDIUM/HIGH severity levels, while SonarQube uses BLOCKER/CRITICAL/MAJOR/MINOR.
Additionally, CVSS v4 scores are not properly considered, leading to incorrect severity classification (e.g., CVSS v4 Critical vulnerabilities being reported as MEDIUM).
Expected behavior
The plugin should:
CVSS v4 ≥ 9.0 → BLOCKER
CVSS v4 ≥ 7.0 → CRITICAL
CVSS v4 ≥ 4.0 → MAJOR
CVSS v4 < 4.0 → MINOR
Screenshots
Versions (please complete the following information):