cyclonedx-core-java icon indicating copy to clipboard operation
cyclonedx-core-java copied to clipboard
verified publisher icon CycloneDX

Vulnerability 1.0 Extension parsing bug

Open bors2908 opened this issue 2 years ago • 1 comments

Version: 7.3.2 OS: Win 11 Pro Build 22621

I've encountered a problem parsing an SBOM with a Vulnerability 1.0 Extension.

The problem is that if component node has multiple ratings nodes ExtensionDeserializer cannot properly parse it and is just filling it with nulls.

          <v:ratings>
            <v:rating>
              <v:severity>Low</v:severity>
            </v:rating>
            <v:rating>
              <v:score>
                <v:base>6.1</v:base>
                <v:impact>4</v:impact>
                <v:exploitability>1.6</v:exploitability>
              </v:score>
              <v:method>CVSSv3</v:method>
              <v:vector>CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N</v:vector>
            </v:rating>
          </v:ratings>

com.astoc.scanner.logs.hub.scanners.service.parsers.cyclonedx.patch.CycloneDxPatchedExtensionDeserializer#processRating Method should take additional cases into account, like when "ratings/rating" node also contains multiple nodes inside. I'll try to fix an issue and make a pull request in the near future.

Test payload attached. cyclonedx-webgoat_test.txt

bors2908 avatar Jun 27 '23 16:06 bors2908

Added Pull Request #309

bors2908 avatar Jun 27 '23 17:06 bors2908