From 5f98c28c3a80cab3ad9e9866a98feebc1a10271d Mon Sep 17 00:00:00 2001
From: Thomas Steenbergen <opensource@steenbe.nl>
Date: Tue, 4 Jun 2024 01:29:45 +0200
Subject: [PATCH 1/2] style(rules): Use colons in CVSS score strings

This is a preparation for a sequential commit where CVSS:3.1 and CVS:4.0
comparator functions will be added.

Signed-off-by: Thomas Steenbergen <opensource@steenbe.nl>
---
 evaluator.rules.kts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/evaluator.rules.kts b/evaluator.rules.kts
index 6d5eb0d0..a0f0d887 100644
--- a/evaluator.rules.kts
+++ b/evaluator.rules.kts
@@ -1546,10 +1546,10 @@ fun RuleSet.vulnerabilityWithHighSeverityInDependencyRule() = packageRule("HIGH_
         -isProject()
         -isExcluded()
         +AnyOf(
-            hasVulnerability(maxAcceptedSeverity, "CVSS2") { value, threshold ->
+            hasVulnerability(maxAcceptedSeverity, "CVSS:2") { value, threshold ->
                 value.toFloat() >= threshold.toFloat()
             },
-            hasVulnerability(maxAcceptedSeverity, "CVSS3") { value, threshold ->
+            hasVulnerability(maxAcceptedSeverity, "CVSS:3") { value, threshold ->
                 value.toFloat() >= threshold.toFloat()
             }
         )

From 869b51229532fd0a9f0984b8405e3bce283dfb06 Mon Sep 17 00:00:00 2001
From: Thomas Steenbergen <opensource@steenbe.nl>
Date: Tue, 4 Jun 2024 01:35:38 +0200
Subject: [PATCH 2/2] feat(rules): Add CVSS 3.1/4 to high severity vuln rule

Prior to this change a package with a high severity vulnerability
encoded in CVSS 3.1 or 4.0 would not trigger a policy rule violation.

Signed-off-by: Thomas Steenbergen <opensource@steenbe.nl>
---
 evaluator.rules.kts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/evaluator.rules.kts b/evaluator.rules.kts
index a0f0d887..f0fcd5ad 100644
--- a/evaluator.rules.kts
+++ b/evaluator.rules.kts
@@ -1551,6 +1551,12 @@ fun RuleSet.vulnerabilityWithHighSeverityInDependencyRule() = packageRule("HIGH_
             },
             hasVulnerability(maxAcceptedSeverity, "CVSS:3") { value, threshold ->
                 value.toFloat() >= threshold.toFloat()
+            },
+            hasVulnerability(maxAcceptedSeverity, "CVSS:3.1") { value, threshold ->
+                value.toFloat() >= threshold.toFloat()
+            },
+            hasVulnerability(maxAcceptedSeverity, "CVSS:4.0") { value, threshold ->
+                value.toFloat() >= threshold.toFloat()
             }
         )
     }