fix: use correct types for modifiedSubAvailabilityImpact, modifiedSubIntegrityImpact, and modifiedSubConfidentialityImpact #274
Conversation
|
@aikebah or @marcelstoer does this look good to you? |
|
LGTM |
|
I expect this leading to an ODC 12.0.3 release but are you also going to release a new v11 including this fix? (haven't figured out yet what was breaking in between) |
|
@marcelstoer the only breaking change to my knowledge was the extension of the reports with CVSSv4 data given that we've seen in past that reports are post-processed by various users to compose the information into their own dashboarding and adding CVSSv4 data is likely to break those pipelines. IIRC that was the only reason for the new major |
|
@marcelstoer is there a need to release a new v11? We've generally just required the upgrade to the latest. |
|
@jeremylong Might be good to retroactively indicate in the changelog that the addition of CVSS v4 in the reports is the 'breaking' change that warranted the new major for v12.0.0. My impresson is that then just releasing a new v12 would be sufficient and people will mostly be fine to onboard on v12.x. |
|
@jeremylong thanks for amending the changelog for 12.0. @aikebah thanks for insights.
Yep, that is exactly why I haven't upgraded yet. If I update our pipeline at work, 100+ projects are going to be affected all at once. Due to this issue, I'll now expedite the upgrade 😄 |
|
@marcelstoer sorry for not highlighting the breaking change earlier. I'll try to do better in the future ;) |
Incorrectly used the wrong type for three fields that are rarely filled out in the NVD data. This resolves #270
@marcelstoer thanks for suggesting adding the test case via #272 - I've included that here.