diff --git a/grype/presenter/cyclonedx/vuln-extension.go b/grype/presenter/cyclonedx/vuln-extension.go index 36a27fa5888..edf125a532c 100644 --- a/grype/presenter/cyclonedx/vuln-extension.go +++ b/grype/presenter/cyclonedx/vuln-extension.go @@ -14,14 +14,14 @@ import ( // Source is the origin of the vulnerability, like Github Advisories or NVD, along // with a URL constructed with the vulnerability ID type Source struct { - Name string `xml:"v:name,attr"` + Name string `xml:"name,attr"` URL string `xml:"v:url"` } // Rating has information about the intensity of a vulnerability type Rating struct { Score Score `xml:"v:score"` - Severity string `xml:"v:severity"` + Severity string `xml:"v:severity,omitempty"` Method string `xml:"v:method,omitempty"` Vector string `xml:"v:vector,omitempty"` } @@ -35,7 +35,7 @@ type Score struct { // Advisories holds all the links for a vulnerability type Advisories struct { - Advisory []string `xml:"advisory"` + Advisory []string `xml:"v:advisory"` } // Vulnerability is the actual description of a vulnerable artifact @@ -43,19 +43,19 @@ type Vulnerability struct { Ref string `xml:"ref,attr"` ID string `xml:"v:id"` Source Source `xml:"v:source"` - Ratings []Rating `xml:"v:ratings"` + Ratings []Rating `xml:"v:ratings>v:rating"` // We do not capture Common Weakness Enumeration //Cwes Cwes `xml:"v:cwes"` Description string `xml:"v:description,omitempty"` // We don't have recommendations (e.g. "upgrade") //Recommendations *Recommendations `xml:"v:recommendations"` - Advisories *Advisories `xml:"v:advisories"` + Advisories *Advisories `xml:"v:advisories,omitempty"` } // Component represents the a single software/package that has vulnerabilities. type Component struct { syftCDX.Component - Vulnerabilities []Vulnerability `xml:"v:vulnerabilities"` + Vulnerabilities *[]Vulnerability `xml:"v:vulnerabilities>v:vulnerability,omitempty"` } // NewBomDescriptor returns a new BomDescriptor tailored for the current time and "syft" tool details.