Open
Description
openedon Oct 22, 2024
Version cyclonedx-cli:0.27.1, CycloneDX format 1.6
When trying to validate sbom that was produced with cyclonedx-cli merge, I get the following errors:
\"$.vulnerabilities[244].ratings[8].method: does not have a value in the enumeration [\\\"CVSSv2\\\", \\\"CVSSv3\\\", \\\"CVSSv31\\\", \\\"CVSSv4\\\", \\\"OWASP\\\", \\\"SSVC\\\", \\\"other\\\"]\",
\"$.vulnerabilities[244].ratings[9].method: does not have a value in the enumeration [\\\"CVSSv2\\\", \\\"CVSSv3\\\", \\\"CVSSv31\\\", \\\"CVSSv4\\\", \\\"OWASP\\\", \\\"SSVC\\\", \\\"other\\\"]\",
\"$.vulnerabilities[244].ratings[11].method: does not have a value in the enumeration [\\\"CVSSv2\\\", \\\"CVSSv3\\\", \\\"CVSSv31\\\", \\\"CVSSv4\\\", \\\"OWASP\\\", \\\"SSVC\\\", \\\"other\\\"]\",
\"$.vulnerabilities[244].ratings[12].method: does not have a value in the enumeration [\\\"CVSSv2\\\", \\\"CVSSv3\\\", \\\"CVSSv31\\\", \\\"CVSSv4\\\", \\\"OWASP\\\", \\\"SSVC\\\", \\\"other\\\"]\",
\"$.vulnerabilities[245].ratings[0].method: does not have a value in the enumeration [\\\"CVSSv2\\\", \\\"CVSSv3\\\", \\\"CVSSv31\\\", \\\"CVSSv4\\\", \\\"OWASP\\\", \\\"SSVC\\\", \\\"other\\\"]\",
\"$.vulnerabilities[245].ratings[1].method: does not have a value in the enumeration [\\\"CVSSv2\\\", \\\"CVSSv3\\\", \\\"CVSSv31\\\", \\\"CVSSv4\\\", \\\"OWASP\\\", \\\"SSVC\\\", \\\"other\\\"]\",
\"$.vulnerabilities[245].ratings[2].method: does not have a value in the enumeration [\\\"CVSSv2\\\", \\\"CVSSv3\\\", \\\"CVSSv31\\\", \\\"CVSSv4\\\", \\\"OWASP\\\", \\\"SSVC\\\", \\\"other\\\"]\",
\"$.vulnerabilities[245].ratings[4].method: does not have a value in the enumeration [\\\"CVSSv2\\\", \\\"CVSSv3\\\", \\\"CVSSv31\\\", \\\"CVSSv4\\\", \\\"OWASP\\\", \\\"SSVC\\\", \\\"other\\\"]\",
\"$.vulnerabilities[245].ratings[5].method: does not have a value in the enumeration [\\\"CVSSv2\\\", \\\"CVSSv3\\\", \\\"CVSSv31\\\", \\\"CVSSv4\\\", \\\"OWASP\\\", \\\"SSVC\\\", \\\"other\\\"]\",
Example part of erroneous data:
{
"id": "CVE-2021-3807",
"source": {
"name": "ghsa",
"url": "https://github.com/advisories?query=type%3Areviewed\u002Becosystem%3Anpm"
},
"ratings": [
{
"source": {
"name": "alma"
},
"score": 0,
"severity": "medium",
"method": "Null"
},
{
"source": {
"name": "ghsa"
},
"score": 7.5,
"severity": "high",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
{
"source": {
"name": "nvd"
},
"score": 7.8,
"severity": "high",
"method": "CVSSv2",
"vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"
},
{
"source": {
"name": "nvd"
},
"score": 7.5,
"severity": "high",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
{
"source": {
"name": "oracle-oval"
},
"score": 0,
"severity": "medium",
"method": "Null"
},
{
"source": {
"name": "redhat"
},
"score": 7.5,
"severity": "medium",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],The original input data did not contain this information:
{
"id": "CVE-2021-3807",
"source": {
"name": "ghsa",
"url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
},
"ratings": [
{
"source": {
"name": "alma"
},
"severity": "medium"
},
{
"source": {
"name": "ghsa"
},
"score": 7.5,
"severity": "high",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
{
"source": {
"name": "nvd"
},
"score": 7.8,
"severity": "high",
"method": "CVSSv2",
"vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"
},
{
"source": {
"name": "nvd"
},
"score": 7.5,
"severity": "high",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
{
"source": {
"name": "oracle-oval"
},
"severity": "medium"
},
{
"source": {
"name": "redhat"
},
"score": 7.5,
"severity": "medium",
"method": "CVSSv31",
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
}
],Temporary workaround:
sed -i 's/"method": "Null"/"method": "other"/' "output_sbom.json"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Metadata
Assignees
Labels
No labels