Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] BOMEncoder for vulnerabilities adds a default score of 0 if not specified #25

Closed
sambhav opened this issue Mar 17, 2022 · 1 comment · Fixed by #26
Closed

[bug] BOMEncoder for vulnerabilities adds a default score of 0 if not specified #25

sambhav opened this issue Mar 17, 2022 · 1 comment · Fixed by #26
Labels
bug Something isn't working
Milestone
v0.5.1

Comments

@sambhav
Copy link
Member

sambhav commented Mar 17, 2022
edited
Loading

Currently vulnerabilities.ratings.score is a non required field in the spec. The library however serializes absent scores as 0 in VEX documents. This is probably because score is a float field

cyclonedx-go/cyclonedx.go

Line 637 in 6c388c4

Score float64 `json:"score" xml:"score"`
instead of a float pointer in which case we could omit it in case it is set to nil.

For example see BOMs at anchore/grype#678
@sambhav sambhav changed the title [bug] BOMEncoder for vulnerabilities add a default score of 0 if not specified [bug] BOMEncoder for vulnerabilities adds a default score of 0 if not specified Mar 17, 2022
nscuro added a commit that referenced this issue Mar 19, 2022
@nscuro
fix: make vuln rating score optional
1fd9caf 
fixes #25

BREAKING CHANGE: the type of `VulnerabilityRating.Score` changed from `float64` to `*float64`.

Signed-off-by: nscuro <nscuro@protonmail.com>
@nscuro nscuro mentioned this issue Mar 19, 2022
Merged
@nscuro nscuro added the bug Something isn't working label Mar 19, 2022
@nscuro nscuro added this to the v0.5.1 milestone Mar 19, 2022
@nscuro
Copy link
Member

nscuro commented Mar 19, 2022

Good catch and thx for reporting, @samj1912! Fixed in v0.5.1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
v0.5.1
Development

Successfully merging a pull request may close this issue.

fix: make vuln rating score optional CycloneDX/cyclonedx-go
2 participants
@nscuro @sambhav