fix: add CVSSv4 support to auditjs parser and improve error handling

[Haralishev77]

Summary

This PR adds CVSS v4 support to the AuditJS parser in DefectDojo.

Changes

• Updated the parser logic to handle CVSS:4.0 vectors using the CVSS4 class.
• Added clear error handling when no CVSS vectors are found.
• Ensured backward compatibility with CVSS2 and CVSS3.

Note

Support for CVSS4 relies on RedHatProductSecurity/cvss#75 being merged and released (likely in version 3.5).
Once it's available, the requirements.txt should be updated accordingly.

[dryrunsecurity]

This pull request addresses potential security vulnerabilities including DOMPurify XSS issues, a high-severity MySQL certificate verification vulnerability, and modifications to CVSS parsing and testing in the AuditJS parser, with associated updates to test cases and dependency handling.

💭 Unconfirmed Findings (6)

Vulnerability	CVSS Parsing Errors
Description	Potential unexpected behavior when encountering invalid or malformed CVSS vectors in dojo/tools/auditjs/parser.py, with explicit errors raised for unsupported CVSS versions

Vulnerability	Dependency Import Change
Description	Potential version compatibility issues due to changes in dependency resolution in dojo/tools/auditjs/parser.py

Vulnerability	DOMPurify XSS Vulnerabilities
Description	Two CVEs (CVE-2024-47875 and CVE-2025-26791) with CVSS scores of 6.4 and 2.1, indicating improper neutralization of input during web page generation

Vulnerability	MySQL Unverified Certificate Vulnerability
Description	High-severity CVSS 9.6 vulnerability with potential risk of man-in-the-middle attacks or connection spoofing due to improper SSL certificate verification

Vulnerability	Test Case Modification
Description	Changes in vulnerability parsing and testing approach in unittests/tools/test_auditjs_parser.py

Vulnerability	Test Coverage Expansion
Description	Modifications to test coverage for vulnerability detection in unittests/tools/test_auditjs_parser.py

---

All finding details can be found in the DryRun Security Dashboard.

[valentijnscholten]

Thank you for the PR. Can you look at my comment, the linting errors and rebase against the bugfix branch?

[valentijnscholten]

Thanks, I've updated the base branch here on the GitHub PR as well.

Could you look at providing/updating a test case that covers the new CVSS code?

[Haralishev77]

Sure, I’ll take a look at the test file next week and may extend it with additional scan examples to cover CVSS v2 and v4 cases.

[Haralishev77]

I've added new tests for CVSS V2 and V4 vectors and updated the scan examples. However, to run the tests properly, it's necessary to manually add the updated parse_cvss_from_text function to the auditjs parser (for now).

[valentijnscholten]

Thanks! I've approved the workflows to run, can you look at the test failure: https://github.com/DefectDojo/django-DefectDojo/actions/runs/15003307072/job/42158252920?pr=12391#step:8:3482

[Haralishev77]

Yes, this error occurs due to missing functionality in the CVSS library. So, we're waiting for updates.

uwsgi-1  |   File "/app/dojo/tools/auditjs/parser.py", line 119, in get_findings
uwsgi-1  |     raise ValueError(msg)
uwsgi-1  | ValueError: No CVSS vectors found. Please check that parse_cvss_from_text() correctly parses the provided cvssVector.

[valentijnscholten]

@Haralishev77 I think it would be fine if you add some extra code to handle the CVSS4 case, i.e. mimic what your upstream PR does. I am saying this because it looks like it might take a while before RedHat will release a version with your fix/enhancement. And soon we will add CVSS4 support to Defect Dojo and that will be a point where we will double check all CVSS related code in parsers and could cleanup the extra code.

[Haralishev77]

Okay, I’ll push the changes soon.

changes implemented

[valentijnscholten]

Looks good to me, feel free to take it out of draft.

[mtesauro]

Approved