From 8ac712449a5055d653323b24d7745480bce32171 Mon Sep 17 00:00:00 2001
From: Ahmed Abdelsalam <ahmed.abdelsalam@greenbone.net>
Date: Fri, 31 May 2024 10:29:27 +0200
Subject: [PATCH] Add: Added support for CVSS 4.0 fields in CVEs.

---
 src/manage_sql_secinfo.c | 39 ++++++++++++++++++++++++++-------------
 1 file changed, 26 insertions(+), 13 deletions(-)

diff --git a/src/manage_sql_secinfo.c b/src/manage_sql_secinfo.c
index 455fc3dbc..8647c66f8 100644
--- a/src/manage_sql_secinfo.c
+++ b/src/manage_sql_secinfo.c
@@ -2491,7 +2491,6 @@ static int
 insert_cve_from_entry (element_t entry, element_t last_modified,
                        GHashTable *hashed_cpes, int *transaction_size)
 {
-  gboolean cvss_is_v3;
   element_t published, summary, cvss, score, base_metrics, cvss_vector, list;
   double severity_dbl;
   gchar *quoted_id, *quoted_summary, *quoted_cvss_vector;
@@ -2518,21 +2517,36 @@ insert_cve_from_entry (element_t entry, element_t last_modified,
       return -1;
     }
 
-  cvss = element_child (entry, "vuln:cvss3");
+  gchar *base_metrics_element = "cvss:base_metrics";
+  gchar *score_element = "cvss:score";
+  gchar *cvss_vector_element = "cvss:vector-string";
+
+  cvss = element_child (entry, "vuln:cvss4");
   if (cvss == NULL)
     {
-      cvss = element_child (entry, "vuln:cvss");
-      cvss_is_v3 = FALSE;
+      cvss = element_child (entry, "vuln:cvss3");
+      if (cvss == NULL)
+        {
+          cvss = element_child (entry, "vuln:cvss");
+        }
+      else
+        {
+          base_metrics_element = "cvss3:base_metrics";
+          score_element = "cvss3:base-score";
+          cvss_vector_element = "cvss3:vector-string";
+        }
     }
   else
-     cvss_is_v3 = TRUE;
+    {
+      base_metrics_element = "cvss4:base_metrics";
+      score_element = "cvss4:base-score";
+      cvss_vector_element = "cvss4:vector-string";
+    }
 
   if (cvss == NULL)
     base_metrics = NULL;
   else
-    base_metrics = element_child (cvss,
-                                  cvss_is_v3 ? "cvss3:base_metrics"
-                                             : "cvss:base_metrics");
+    base_metrics = element_child (cvss, base_metrics_element);
 
   if (base_metrics == NULL)
     {
@@ -2541,8 +2555,8 @@ insert_cve_from_entry (element_t entry, element_t last_modified,
     }
   else
     {
-      score = element_child (base_metrics,
-                             cvss_is_v3 ? "cvss3:base-score" : "cvss:score");
+      score = element_child (base_metrics, score_element);
+
       if (score == NULL)
         {
           g_warning ("%s: cvss:score missing for %s", __func__, id);
@@ -2550,9 +2564,8 @@ insert_cve_from_entry (element_t entry, element_t last_modified,
           return -1;
         }
 
-      cvss_vector = element_child (base_metrics,
-                                   cvss_is_v3 ? "cvss3:vector-string"
-                                              : "cvss:vector-string");
+      cvss_vector = element_child (base_metrics, cvss_vector_element);
+
       if (cvss_vector == NULL)
         {
           g_warning ("%s: cvss:access-vector missing for %s", __func__, id);