presenter: cyclonedx vulnerability schema fixes

Signed-off-by: Alfredo Deza <adeza@anchore.com>

grype/presenter/cyclonedx/vuln-extension.go

@@ -14,14 +14,14 @@ import (
 // Source is the origin of the vulnerability, like Github Advisories or NVD, along
 // with a URL constructed with the vulnerability ID
 type Source struct {
-	Name string `xml:"v:name,attr"`
+	Name string `xml:"name,attr"`
 	URL  string `xml:"v:url"`
 }
 
 // Rating has information about the intensity of a vulnerability
 type Rating struct {
 	Score    Score  `xml:"v:score"`
-	Severity string `xml:"v:severity"`
+	Severity string `xml:"v:severity,omitempty"`
 	Method   string `xml:"v:method,omitempty"`
 	Vector   string `xml:"v:vector,omitempty"`
 }
@@ -35,27 +35,27 @@ type Score struct {
 
 // Advisories holds all the links for a vulnerability
 type Advisories struct {
-	Advisory []string `xml:"advisory"`
+	Advisory []string `xml:"v:advisory"`
 }
 
 // Vulnerability is the actual description of a vulnerable artifact
 type Vulnerability struct {
 	Ref     string   `xml:"ref,attr"`
 	ID      string   `xml:"v:id"`
 	Source  Source   `xml:"v:source"`
-	Ratings []Rating `xml:"v:ratings"`
+	Ratings []Rating `xml:"v:ratings>v:rating"`
 	// We do not capture Common Weakness Enumeration
 	//Cwes            Cwes             `xml:"v:cwes"`
 	Description string `xml:"v:description,omitempty"`
 	// We don't have recommendations (e.g. "upgrade")
 	//Recommendations *Recommendations `xml:"v:recommendations"`
-	Advisories *Advisories `xml:"v:advisories"`
+	Advisories *Advisories `xml:"v:advisories,omitempty"`
 }
 
 // Component represents the a single software/package that has vulnerabilities.
 type Component struct {
 	syftCDX.Component
-	Vulnerabilities []Vulnerability `xml:"v:vulnerabilities"`
+	Vulnerabilities *[]Vulnerability `xml:"v:vulnerabilities>v:vulnerability,omitempty"`
 }
 
 // NewBomDescriptor returns a new BomDescriptor tailored for the current time and "syft" tool details.