From 1f2ad1efed2f5be16d43d321fe16ed8527ee2a6f Mon Sep 17 00:00:00 2001
From: George Andrinopoulos <geoandri@gmail.com>
Date: Thu, 2 Nov 2023 22:05:06 +0200
Subject: [PATCH] fix(reporter): Add score and method properties in CycloneDX
 report

Signed-off-by: George Andrinopoulos <george.andrinopoulos@leanix.net>
---
 .../funTest/assets/cyclonedx-reporter-expected-result.json    | 4 +++-
 .../src/funTest/assets/cyclonedx-reporter-expected-result.xml | 2 ++
 .../reporters/cyclonedx/src/main/kotlin/CycloneDxReporter.kt  | 3 +++
 reporter/src/testFixtures/kotlin/TestData.kt                  | 2 +-
 4 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.json b/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.json
index 295b136bbcb15..e8acac9069cea 100644
--- a/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.json
+++ b/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.json
@@ -249,7 +249,9 @@
           "source": {
             "url": "https://cves.example.org/cve1"
           },
-          "severity": "medium"
+          "score": 6.0,
+          "severity": "medium",
+          "method": "CVSSv2"
         }
       ],
       "description": "A vulnerability description",
diff --git a/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.xml b/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.xml
index f709609760b2d..c3f5c6ef4e6bd 100644
--- a/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.xml
+++ b/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.xml
@@ -139,7 +139,9 @@
           <source>
             <url>https://cves.example.org/cve1</url>
           </source>
+          <score>6.0</score>
           <severity>medium</severity>
+          <method>CVSSv2</method>
         </rating>
       </ratings>
       <description>A vulnerability description</description>
diff --git a/plugins/reporters/cyclonedx/src/main/kotlin/CycloneDxReporter.kt b/plugins/reporters/cyclonedx/src/main/kotlin/CycloneDxReporter.kt
index 120df23ddd8e1..f9b7cc5eef849 100644
--- a/plugins/reporters/cyclonedx/src/main/kotlin/CycloneDxReporter.kt
+++ b/plugins/reporters/cyclonedx/src/main/kotlin/CycloneDxReporter.kt
@@ -273,6 +273,9 @@ class CycloneDxReporter : Reporter {
                                 .apply { url = reference.url.toString() }
                             severity = org.cyclonedx.model.vulnerability.Vulnerability.Rating.Severity
                                 .fromString(reference.severityRating.lowercase())
+                            score = reference.severity?.toDoubleOrNull()
+                            method = org.cyclonedx.model.vulnerability.Vulnerability.Rating.Method
+                                .fromString(reference.scoringSystem)
                         }
                     }
                     affects = mutableListOf(
diff --git a/reporter/src/testFixtures/kotlin/TestData.kt b/reporter/src/testFixtures/kotlin/TestData.kt
index 284d17c8fc423..52fea88318446 100644
--- a/reporter/src/testFixtures/kotlin/TestData.kt
+++ b/reporter/src/testFixtures/kotlin/TestData.kt
@@ -408,7 +408,7 @@ val VULNERABILITY = Vulnerability(
     summary = "A vulnerability summary",
     description = "A vulnerability description",
     references = listOf(
-        VulnerabilityReference(URI("https://cves.example.org/cve1"), "Cvss2", "6.0")
+        VulnerabilityReference(URI("https://cves.example.org/cve1"), "CVSSv2", "6.0")
     )
 )