osv-scanner
osv-scanner copied to clipboard
google
osv-scanner 2.0 does not consider nested components in CycloneDX SBOM
After updating to osv-scanner 2.0, it seems like nested components in a CycloneDX SBOM are no longer considered.
Example:
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:77486714-0a72-4d06-ada6-9bf6c4e3a955",
"version": 1,
"metadata": {
"component": {
"type": "application",
"bom-ref": "[email protected]",
"name": "MyApp",
"version": "1.0.0",
"author": "MyCompany"
},
"timestamp": "2025-03-11T20:14:32.767Z"
},
"components": [
{
"type": "application",
"bom-ref": "[email protected]",
"name": "MyBinary",
"version": "1.0.0",
"purl": "pkg:generic/[email protected]",
"components": [
{
"type": "library",
"bom-ref": "[email protected]",
"name": "rustls",
"version": "0.23.13",
"purl": "pkg:cargo/[email protected]"
}
]
}
]
}
# 1.9.2
> osv-scanner scan --sbom test.cdx.json
Scanned /home/davidsm/test.cdx.json as CycloneDX SBOM and found 2 packages
╭─────────────────────────────────────┬──────┬───────────┬─────────┬─────────┬───────────────╮
│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │
├─────────────────────────────────────┼──────┼───────────┼─────────┼─────────┼───────────────┤
│ https://osv.dev/GHSA-qg5g-gv98-5ffh │ 6.9 │ crates.io │ rustls │ 0.23.13 │ test.cdx.json │
│ https://osv.dev/RUSTSEC-2024-0399 │ │ crates.io │ rustls │ 0.23.13 │ test.cdx.json │
╰─────────────────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────╯
# 2.0.0
> osv-scanner scan --sbom test.cdx.json
Scanned /home/davidsm/test.cdx.json file and found 1 package
No issues found
