Add SecurityAdvisory cvssSeverities and deprecate cvss

open-vulnerability-clients/src/main/java/io/github/jeremylong/openvulnerability/client/ghsa/CVSSSeverities.java

@@ -0,0 +1,70 @@
+/*
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) 2023-2025 Jeremy Long. All Rights Reserved.
+ */
+package io.github.jeremylong.openvulnerability.client.ghsa;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonPropertyOrder;
+
+import java.io.Serializable;
+import java.util.Objects;
+
+/**
+ * The Common Vulnerability Scoring System
+ */
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonPropertyOrder({"cvssV3", "cvssV4"})
+public class CVSSSeverities implements Serializable {
+
+    private static final long serialVersionUID = -6425427956203326377L;
+
+    @JsonProperty("cvssV3")
+    private CVSS cvssV3;
+
+    @JsonProperty("cvssV4")
+    private CVSS cvssV4;
+
+    public CVSS getCvssV3() {
+        return cvssV3;
+    }
+
+    public CVSS getCvssV4() {
+        return cvssV4;
+    }
+
+    @Override
+    public String toString() {
+        return "CVSSSeverities{" + "cvssV3=" + cvssV3 + ", cvssV4=" + cvssV4 + '}';
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o)
+            return true;
+        if (o == null || getClass() != o.getClass())
+            return false;
+        CVSSSeverities cvss = (CVSSSeverities) o;
+        return cvssV3.equals(cvss.cvssV3) && cvssV4.equals(cvss.cvssV4);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(cvssV3, cvssV4);
+    }
+}

open-vulnerability-clients/src/main/java/io/github/jeremylong/openvulnerability/client/ghsa/SecurityAdvisory.java

@@ -30,7 +30,7 @@
 @JsonIgnoreProperties(ignoreUnknown = true)
 @JsonPropertyOrder({"databaseId", "description", "ghsaId", "id", "identifiers", "notificationsPermalink", "origin",
         "permalink", "publishedAt", "references", "severity", "summary", "updatedAt", "vulnerabilities",
-        "classification", "cvss", "cwes", "withdrawnAt"})
+        "classification", "cvss", "cvssSeverities", "cwes", "withdrawnAt"})
 public class SecurityAdvisory implements Serializable {
 
     /**
@@ -86,9 +86,16 @@ public class SecurityAdvisory implements Serializable {
     @JsonProperty("classification")
     private String classification;
 
+    // https://docs.github.com/en/graphql/overview/breaking-changes#changes-scheduled-for-2025-10-01
+    // cvss will be removed at 2025-10-01.
+    // New cvssSeverities field will now contain both cvssV3 and cvssV4 properties.
+    @Deprecated(forRemoval = true)
     @JsonProperty("cvss")
     private CVSS cvss;
 
+    @JsonProperty("cvssSeverities")
+    private CVSSSeverities cvssSeverities;
+
     @JsonProperty(value = "cwes")
     private CWEs cwes;
 
@@ -239,10 +246,20 @@ public String getClassification() {
      *
      * @return the CVSS associated with this advisory.
      */
+    @Deprecated(forRemoval = true)
     public CVSS getCvss() {
         return cvss;
     }
 
+    /**
+     * The CVSS associated with this advisory.
+     *
+     * @return the CVSS associated with this advisory.
+     */
+    public CVSSSeverities getCvssSeverities() {
+        return cvssSeverities;
+    }
+
     /**
      * Returns CWE Page associated with this Advisory.
      *
@@ -272,8 +289,8 @@ public String toString() {
                 + notificationsPermalink + '\'' + ", origin='" + origin + '\'' + ", permalink='" + permalink + '\''
                 + ", publishedAt=" + publishedAt + ", references=" + references + ", severity=" + severity
                 + ", summary='" + summary + '\'' + ", updatedAt=" + updatedAt + ", withdrawnAt=" + withdrawnAt
-                + ", classification=" + classification + ", cvss=" + cvss + ", cwes=" + cwes + ", vulnerabilities="
-                + vulnerabilities + '}';
+                + ", classification=" + classification + ", cvss=" + cvss + ", cvssSeverities=" + cvssSeverities
+                + ", cwes=" + cwes + ", vulnerabilities=" + vulnerabilities + '}';
     }
 
     @Override
@@ -292,13 +309,14 @@ public boolean equals(Object o) {
                 && severity == that.severity && Objects.equals(summary, that.summary)
                 && Objects.equals(updatedAt, that.updatedAt) && Objects.equals(withdrawnAt, that.withdrawnAt)
                 && Objects.equals(classification, that.classification) && Objects.equals(cvss, that.cvss)
-                && Objects.equals(cwes, that.cwes) && Objects.equals(vulnerabilities, that.vulnerabilities);
+                && Objects.equals(cvssSeverities, that.cvssSeverities) && Objects.equals(cwes, that.cwes)
+                && Objects.equals(vulnerabilities, that.vulnerabilities);
     }
 
     @Override
     public int hashCode() {
         return Objects.hash(databaseId, description, ghsaId, id, identifiers, notificationsPermalink, origin, permalink,
-                publishedAt, references, severity, summary, updatedAt, withdrawnAt, classification, cvss, cwes,
-                vulnerabilities);
+                publishedAt, references, severity, summary, updatedAt, withdrawnAt, classification, cvss,
+                cvssSeverities, cwes, vulnerabilities);
     }
 }

open-vulnerability-clients/src/main/resources/securityAdvisories.mustache

@@ -57,6 +57,16 @@ query {
         score
         vectorString
       }
+      cvssSeverities {
+        cvssV3 {
+          score
+          vectorString
+        }
+        cvssV4 {
+          score
+          vectorString
+        }
+      }
       cwes(first: 50) {
         edges {
           node {