CVE with CVSS Score of 9.8 is reported as Major on SonarQube

[mnisius]

Describe the bug
In my Project the CVE-2025-31651 with a CVSS Score of 9.8 was discovered. In SonarQube this Issue is now shown as a Major instead of a Critical or Blocker.

To Reproduce
Scan a Spring Boot Project with Spring Boot 3.4.2. Create a Owasp Report with dependency-check-maven, and perform a sonarqube analysis with the maven:sonar-maven-plugin.

Current behavior
The issue is marked as Major

Expected behavior
The issue should be in the Category Blocker or Critcal

• dependency-check: 12.1.0
• sonarqube: Enterprise Edition v2025.1 (102418)
• dependency-check-sonar-plugin5.0.0

[sdt-aslepikas]

We are having a very similar issue where ALL of our vulnerabilities are major. Dependency check report does show correctly as medium but the sonarqube issues page shows as major

• sonarqube Community Build v25.4.0.105899
• plugin 5.0.0
• dependency check 12.1.1

[alexistoulotte]

Hi @mnisius,

I had the same issue and I fixed it by updating my quality gate to new sonar standards (use « Review and Update Quality Gate » button in the screenshot below).

Actually, « minor, major, etc. » severities are replaced by « info / low / medium / high / blocker ».

The legacy « minor / major » rules should be removed in order to be compliant with new sonar releases. It makes more sense.

[sinux-l5d]

We're having the same issue, and I don't think it has anything to do with quality gate in our case.

I'm not familiar with the Sonar ecosystem and not sure where to start digging: is it depcheck itself? This plugin? Something in Sonar?

In Administration > Dependency-Check > Severities, there are only three levels: Low, Medium and High, which is a different scale from Info/Minor/Major/Critical/Blocker available in a project's Issues view. Whatever the CVSS score, it always ends up in Major in the Issues panel.

#870 claims the new severities scale is the latter, however in our Sonarqube 2025.2 instance we have the former:

Can someone point us in the correct direction? I'm obviously missing something.

[tremblaysimon]

I think it's similar to that closed (unresolved) issue #982.