cyclonedx-cli icon indicating copy to clipboard operation
cyclonedx-cli copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Produces invalid SBOM file when CVSSv31 method is used in input

Open lazka opened this issue 1 year ago • 0 comments

Input file: buginput.json

Passing the attached SBOM through cyclonedx-cli results in an invalid JSON:

$ cyclonedx --version                                                                
0.25.0
$ # it's valid
$ cyclonedx validate --input-file buginput.json
BOM validated successfully.

$ # converting breaks it
$ cyclonedx convert --input-file buginput.json --output-file converted.json
$ cyclonedx validate --input-file converted.json
Unable to validate against any JSON schemas.
BOM is not valid.

$ # merging breaks it too
$ cyclonedx merge --input-files buginput.json buginput.json --output-file merged.json
$ cyclonedx validate --input-file merged.json   
Unable to validate against any JSON schemas.
BOM is not valid.

from what I see the rating "method" gets encoded wrongly:

{
  "score": 3.3,
  "severity": "low",
  "method": "CVSSv31",
  "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
}

After:

{
  "score": 3.3,
  "severity": "low",
  "method": "CVSSv3.1",
  "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
}

lazka avatar Mar 26 '24 13:03 lazka