🐛 fix nancy severity calculation #13656 (#13657)

manuel-sommer · web-flow · commit 186befb9221b · 2025-11-12T17:31:10.000+01:00
diff --git a/dojo/tools/nancy/parser.py b/dojo/tools/nancy/parser.py
@@ -34,14 +34,24 @@ def get_findings(self, scan_file, test):
 
         return findings
 
+    def convert_cvss_score(self, raw_value):
+        if raw_value is None:
+            return "Info"
+        val = float(raw_value)
+        if val == 0.0:
+            return "Info"
+        if val < 4.0:
+            return "Low"
+        if val < 7.0:
+            return "Medium"
+        if val < 9.0:
+            return "High"
+        return "Critical"
+
     def get_items(self, vulnerable, test):
         findings = []
         for vuln in vulnerable:
             finding = None
-            severity = "Info"
-            # the tool does not define severity, however it
-            # provides CVSSv3 vector which will calculate
-            # severity dynamically on save()
             references = []
             if vuln["Vulnerabilities"]:
                 comp_name = vuln["Coordinates"].split(":")[1].split("@")[0]
@@ -57,7 +67,7 @@ def get_items(self, vulnerable, test):
                         title=associated_vuln["Title"],
                         description=associated_vuln["Description"],
                         test=test,
-                        severity=severity,
+                        severity=self.convert_cvss_score(associated_vuln["CvssScore"]),
                         component_name=comp_name,
                         component_version=comp_version,
                         false_p=False,
diff --git a/unittests/tools/test_nancy_parser.py b/unittests/tools/test_nancy_parser.py
@@ -18,7 +18,7 @@ def test_nancy_parser_with_one_vuln_has_one_findings(self):
             self.assertEqual(1, len(findings))
             with self.subTest(i=0):
                 finding = findings[0]
-                self.assertEqual("Info", finding.severity)
+                self.assertEqual("Medium", finding.severity)
                 self.assertIsNotNone(finding.description)
                 self.assertGreater(len(finding.description), 0)
                 self.assertEqual(None, finding.cve)
