Use the CVSS parser to parse the CVSS vector

dojo/tools/acunetix/parser.py

@@ -4,6 +4,7 @@
 import dateutil
 import html2text
 import hyperlink
+from cvss import parser as cvss_parser
 from defusedxml.ElementTree import parse
 from dojo.models import Endpoint, Finding
 
@@ -68,7 +69,9 @@ def get_findings(self, xml_output, test):
                     finding.references = "\n".join(references)
 
                 if item.findtext("CVSS3/Descriptor"):
-                    finding.cvssv3 = item.findtext("CVSS3/Descriptor")
+                    cvss_objects = cvss_parser.parse_cvss_from_text(item.findtext("CVSS3/Descriptor"))
+                    if len(cvss_objects) > 0:
+                        finding.cvssv3 = cvss_objects[0].clean_vector()
 
                 # more description are in "Details"
                 if item.findtext("Details") and len(item.findtext("Details").strip()) > 0:

dojo/tools/acunetix360/parser.py

@@ -1,6 +1,7 @@
 import json
 import html2text
 
+from cvss import parser as cvss_parser
 from dateutil import parser
 from dojo.models import Finding, Endpoint
 
@@ -60,7 +61,9 @@ def get_findings(self, filename, test):
                               static_finding=True)
 
             if (item["Classification"] is not None) and (item["Classification"]["Cvss"] is not None) and (item["Classification"]["Cvss"]["Vector"] is not None):
-                finding.cvssv3 = item["Classification"]["Cvss"]["Vector"]
+                cvss_objects = cvss_parser.parse_cvss_from_text(item["Classification"]["Cvss"]["Vector"])
+                if len(cvss_objects) > 0:
+                    finding.cvssv3 = cvss_objects[0].clean_vector()
 
             if item["State"] is not None:
                 state = [x.strip() for x in item["State"].split(',')]

dojo/tools/generic/parser.py

@@ -3,6 +3,7 @@
 import io
 import json
 
+from cvss import parser as cvss_parser
 from dateutil.parser import parse
 from dojo.models import Endpoint, Finding
 
@@ -132,7 +133,9 @@ def get_findings_csv(self, filename, test, active=None, verified=None):
                 finding.severity = 'Info'
 
             if "CVSSV3" in row:
-                finding.cvssv3 = row["CVSSV3"]
+                cvss_objects = cvss_parser.parse_cvss_from_text(row["CVSSV3"])
+                if len(cvss_objects) > 0:
+                    finding.cvssv3 = cvss_objects[0].clean_vector()
 
             # manage active/verified overrride
             if active:

dojo/tools/github_vulnerability/parser.py

@@ -1,5 +1,6 @@
 import json
 
+from cvss import parser as cvss_parser
 from dojo.models import Finding
 
 
@@ -58,7 +59,9 @@ def get_findings(self, filename, test):
                 if "score" in alert["securityVulnerability"]["advisory"]["cvss"]:
                     finding.cvssv3_score = alert["securityVulnerability"]["advisory"]["cvss"]["score"]
                 if "vectorString" in alert["securityVulnerability"]["advisory"]["cvss"]:
-                    finding.cvssv3 = alert["securityVulnerability"]["advisory"]["cvss"]["vectorString"]
+                    cvss_objects = cvss_parser.parse_cvss_from_text(alert["securityVulnerability"]["advisory"]["cvss"]["vectorString"])
+                    if len(cvss_objects) > 0:
+                        finding.cvssv3 = cvss_objects[0].clean_vector()
 
             dupe_key = finding.unique_id_from_tool
             if dupe_key in dupes:

dojo/tools/netsparker/parser.py

@@ -2,6 +2,7 @@
 import html2text
 import datetime
 
+from cvss import parser as cvss_parser
 from dojo.models import Finding, Endpoint
 
 
@@ -69,7 +70,9 @@ def get_findings(self, filename, test):
                 finding.risk_accepted = True
 
             if (item["Classification"] is not None) and (item["Classification"]["Cvss"] is not None) and (item["Classification"]["Cvss"]["Vector"] is not None):
-                finding.cvssv3 = item["Classification"]["Cvss"]["Vector"]
+                cvss_objects = cvss_parser.parse_cvss_from_text(item["Classification"]["Cvss"]["Vector"])
+                if len(cvss_objects) > 0:
+                    finding.cvssv3 = cvss_objects[0].clean_vector()
 
             finding.unsaved_req_resp = [{"req": request, "resp": response}]
             finding.unsaved_endpoints = [Endpoint.from_uri(url)]

dojo/tools/nuclei/parser.py

@@ -1,5 +1,6 @@
 import json
 import hashlib
+from cvss import parser as cvss_parser
 from dojo.models import Finding, Endpoint
 
 
@@ -63,7 +64,9 @@ def get_findings(self, filename, test):
                         cwe = classification['cwe-id'][0]
                         finding.cwe = int(cwe[4:])
                     if 'cvss-metrics' in classification and classification['cvss-metrics']:
-                        finding.cvssv3 = classification['cvss-metrics']
+                        cvss_objects = cvss_parser.parse_cvss_from_text(classification['cvss-metrics'])
+                        if len(cvss_objects) > 0:
+                            finding.cvssv3 = cvss_objects[0].clean_vector()
                     if 'cvss-score' in classification and classification['cvss-score']:
                         finding.cvssv3_score = classification['cvss-score']