cyclonedx-dotnet-library
cyclonedx-dotnet-library copied to clipboard
Published
20 hours ago •
CycloneDX
CycloneDX
VEX support
Current Behavior:
Merging two VEX files result in the error below in cyclonedx-cli
cyclonedx-cli merge --input-files 1b34e9fa-3a3f-4199-9ada-4b691f61869b-vex.cdx.json ec048047-1a44-4738-86d2-fe63faad61b5-vex.cdx.json --input-format json --output-file merged-vex.json --output-format json --name test --version test
Processing input file 1b34e9fa-3a3f-4199-9ada-4b691f61869b-vex.cdx.json
Processing input file ec048047-1a44-4738-86d2-fe63faad61b5-vex.cdx.json
Writing output file...
Unhandled exception: System.NullReferenceException: Object reference not set to an instance of an object.
at CycloneDX.Cli.Commands.MergeCommand.Merge(MergeCommandOptions options)
at System.CommandLine.Invocation.CommandHandler.GetExitCodeAsync(Object value, InvocationContext context)
at System.CommandLine.Invocation.ModelBindingCommandHandler.InvokeAsync(InvocationContext context)
at System.CommandLine.Invocation.InvocationPipeline.<>c__DisplayClass4_0.<<BuildInvocationChain>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass23_0.<<UseParseErrorReporting>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass16_0.<<UseHelp>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass27_0.<<UseVersionOption>b__1>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass25_0.<<UseTypoCorrections>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<UseSuggestDirective>b__24_0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass22_0.<<UseParseDirective>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass11_0.<<UseDebugDirective>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c.<<RegisterWithDotnetSuggest>b__10_0>d.MoveNext()
--- End of stack trace from previous location ---
at System.CommandLine.Builder.CommandLineBuilderExtensions.<>c__DisplayClass14_0.<<UseExceptionHandler>b__0>d.MoveNext()
Two issues :
- CycloneDX.Utils/Merge.cs does not handle vulnerabilities in BOM files causing a Null reference in CycloneDX-CLI/MergeCommand > Fixed by PR 209
- Vulnerabilities are ignored during merge processing
Expected Behavior:
Manage vulnerabilities part of the BOM at least for merge command
