cyclonedx-cli icon indicating copy to clipboard operation
cyclonedx-cli copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Unnecessary empty references node created when merging BOMs

Open schlenk opened this issue 3 years ago • 0 comments

The cyclonedx-cli tool creates an empty <references/> node inside the <issue> node, when no such reference exists in the input data.

How to reproduce:

Example BOM 1 with a patch (example.bom.xml):

<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1" serialNumber="urn:uuid:d305c984-69ea-41c2-8bb2-09e1c3ae7e28">
    <metadata>
    </metadata>
    <components>
        <component type="application" bom-ref="928880ee-2404-4ac7-a2dd-701a6fcffc33">
            <name>Apache Solr</name>
            <version>7.7.2</version>
            <licenses>
                <license>
                    <id>Apache-2.0</id>
                </license>
            </licenses>
            <cpe>cpe:2.3:a:apache:solr:7.7.2:*:*:*:*:*:*:*</cpe>
            <pedigree>
                <patches>
                    <patch type="backport">
                        <resolves>
                            <issue type="security">
                                <id>CVE-2021-44228</id>
                                <name>Log4J Patch</name>
                                <description>Log4J update to 2.16.0</description>
                                <source>
                                    <name>NVD</name>
                                    <url>https://nvd.nist.gov/vuln/detail/CVE-2021-44228</url>
                                </source>
                            </issue>
                        </resolves>
                    </patch>
                </patches>
            </pedigree>
        </component>
    </components>
</bom>

Example 2 (example2.bom.xml):

<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1" serialNumber="urn:uuid:d305c9a4-69ea-41c2-8bb2-09e1c3ae7e28">
    <metadata>
    </metadata>
    <components>
        <component type="application" bom-ref="9282180ee-2404-4ac7-a2dd-701a6fcffc33">
            <name>Foobar</name>
            <version>1.2.3</version>
        </component>
    </components>
</bom>

Merge with cyclonedx-cli:

cyclonedx-cli --version
0.24.2
cyclonedx-cli merge --input-files example.bom.xml example2.bom.xml --output-format xml

Result contains the empty <references /> node.

<?xml version="1.0" encoding="utf-8"?>
<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:cb46547f-2cb3-4cbc-83ac-2bb238a1c62e" version="1" xmlns="http://cyclonedx.org/schema/bom/1.4">
  <metadata />
  <components>
    <component type="application" bom-ref="928880ee-2404-4ac7-a2dd-701a6fcffc33">
      <name>Apache Solr</name>
      <version>7.7.2</version>
      <licenses>
        <license>
          <id>Apache-2.0</id>
        </license>
      </licenses>
      <cpe>cpe:2.3:a:apache:solr:7.7.2:*:*:*:*:*:*:*</cpe>
      <pedigree>
        <patches>
          <patch type="backport">
            <resolves>
              <issue type="security">
                <id>CVE-2021-44228</id>
                <name>Log4J Patch</name>
                <description>Log4J update to 2.16.0</description>
                <source>
                  <name>NVD</name>
                  <url>https://nvd.nist.gov/vuln/detail/CVE-2021-44228</url>
                </source>
                <references />
              </issue>
            </resolves>
          </patch>
        </patches>
      </pedigree>
    </component>
    <component type="application" bom-ref="9282180ee-2404-4ac7-a2dd-701a6fcffc33">
      <name>Foobar</name>
      <version>1.2.3</version>
    </component>
  </components>
</bom>

schlenk avatar Oct 20 '22 12:10 schlenk