cyclonedx-core-java icon indicating copy to clipboard operation
cyclonedx-core-java copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Low EPSS scores are serialized in E-notation, causing validation to fail

Open sschuberth opened this issue 11 months ago • 3 comments

Coming from here, it seems that an EPSS vulnerability score of 0.000760000 is serialized as "7.600000244565308E-4" (at least in XML), which causes https://cyclonedx.github.io/cyclonedx-web-tool/validate to fail with

The 'http://cyclonedx.org/schema/bom/1.5:score' element is invalid - The value '7.600000244565308E-4' is invalid according to its datatype 'http://www.w3.org/2001/XMLSchema:decimal' - The string '7.600000244565308E-4' is not a valid Decimal value.

Maybe a solution would be to force serialization always at some fixed precision. Or validation could be changed to accept E-notations for floating point numbers, but I guess that would be a harder task.

sschuberth avatar Dec 06 '24 16:12 sschuberth

Coming from here, it seems that an EPSS vulnerability score of 0.000760000 is serialized as "7.600000244565308E-4" (at least in XML), which causes https://cyclonedx.github.io/cyclonedx-web-tool/validate to fail with

The 'http://cyclonedx.org/schema/bom/1.5:score' element is invalid - The value '7.600000244565308E-4' is invalid according to its datatype 'http://www.w3.org/2001/XMLSchema:decimal' - The string '7.600000244565308E-4' is not a valid Decimal value.

Maybe a solution would be to force serialization always at some fixed precision. Or validation could be changed to accept E-notations for floating point numbers, but I guess that would be a harder task.

hey @sschuberth you have an example when the serialization fails? I am trying to reproduce this to try to fix it but without luck, we have done some changes/improvements lately so not sure if this has been fixed indirectly

mr-zepol avatar Apr 10 '25 15:04 mr-zepol

Hi @mr-zepol, the issue originally occurred with data from CVE-2020-15250 as found in pkg:maven/junit/[email protected]. I'll try to reproduce it again and report back.

sschuberth avatar May 06 '25 12:05 sschuberth

The problem is still present, see this CycloneDX 1.5 BOM, which was generated with cyclonedx-core-java version 10.2.1. When uploading this to https://cyclonedx.github.io/cyclonedx-web-tool/validate I get the error

Validation failed at line number 1067 and position 41: The 'http://cyclonedx.org/schema/bom/1.5:score' element is invalid - The value '1.8000000272877514E-4' is invalid according to its datatype 'http://www.w3.org/2001/XMLSchema:decimal' - The string '1.8000000272877514E-4' is not a valid Decimal value.

sschuberth avatar May 06 '25 20:05 sschuberth