Source URLs missing/broken in output with latest release #2520
Description
Using the following input with grype example.sbom.json -o cyclonedx-json
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"version": 1,
"components": [
{
"type": "library",
"name": "Jinja2",
"version": "3.1.2",
"purl": "pkg:pypi/jinja2@3.1.2"
}
]
}Comparing the output of 0.86 vs 0.88, all sources/references have lost their URLs, they just show "github" or "nvd" instead of "GHSA-gmj6-6f8f-6699":
--- old.json 2025-03-10 20:59:19.529302755 +0100
+++ new.json 2025-03-10 21:00:19.434721083 +0100
@@ -2,17 +2,17 @@
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
- "serialNumber": "urn:uuid:ae3c3d56-4a14-4dfc-bc6b-fbd83bf0df3b",
+ "serialNumber": "urn:uuid:0d1397d0-c8e0-4439-87e6-6d038b0b623c",
"version": 1,
"metadata": {
- "timestamp": "2025-03-10T20:59:19+01:00",
+ "timestamp": "2025-03-10T21:00:19+01:00",
"tools": {
"components": [
{
"type": "application",
"author": "anchore",
"name": "grype",
- "version": "0.86.1"
+ "version": "0.89.0"
}
]
}
@@ -38,24 +38,25 @@
],
"vulnerabilities": [
{
- "bom-ref": "urn:uuid:1b8bc76d-f6aa-44c7-b047-f688e2423e6c",
+ "bom-ref": "urn:uuid:7f4bc015-9791-4359-a8c6-33c7b86ab439",
"id": "GHSA-cpwx-vrp4-4pq7",
"source": {
"name": "github-language-python",
- "url": "https://github.com/advisories/GHSA-cpwx-vrp4-4pq7"
+ "url": "github"
},
"references": [
{
"id": "GHSA-cpwx-vrp4-4pq7",
"source": {
"name": "github-language-python",
- "url": "https://github.com/advisories/GHSA-cpwx-vrp4-4pq7"
+ "url": "github"
}
}
],
"ratings": [
{
- "severity": "medium"
+ "severity": "medium",
+ "method": "other"
}
],
"description": "Jinja2 vulnerable to sandbox breakout through attr filter selecting format method",
@@ -71,18 +72,18 @@
]
},
{
- "bom-ref": "urn:uuid:e8149214-e3ff-4268-a0a8-de3bc68b32cc",
+ "bom-ref": "urn:uuid:c4c36605-f0e9-4cc3-8bd9-0cc9accd165a",
"id": "GHSA-gmj6-6f8f-6699",
"source": {
"name": "github-language-python",
- "url": "https://github.com/advisories/GHSA-gmj6-6f8f-6699"
+ "url": "github"
},
"references": [
{
"id": "GHSA-gmj6-6f8f-6699",
"source": {
"name": "github-language-python",
- "url": "https://github.com/advisories/GHSA-gmj6-6f8f-6699"
+ "url": "github"
}
}
],
@@ -107,18 +108,18 @@
]
},
{
- "bom-ref": "urn:uuid:c67636ae-1efc-4add-84d7-c633c7c7bcfc",
+ "bom-ref": "urn:uuid:a58c35be-ce67-4a94-9bb3-a5d02b0fbf88",
"id": "GHSA-h5c8-rqwp-cp95",
"source": {
"name": "github-language-python",
- "url": "https://github.com/advisories/GHSA-h5c8-rqwp-cp95"
+ "url": "github"
},
"references": [
{
"id": "GHSA-h5c8-rqwp-cp95",
"source": {
"name": "github-language-python",
- "url": "https://github.com/advisories/GHSA-h5c8-rqwp-cp95"
+ "url": "github"
}
}
],
@@ -143,18 +144,18 @@
]
},
{
- "bom-ref": "urn:uuid:80cc3ca6-773d-45a0-afe3-38d3576c7046",
+ "bom-ref": "urn:uuid:7ea1546c-fb37-45a5-a012-9f58f5f827ee",
"id": "GHSA-h75v-3vvj-5mfj",
"source": {
"name": "github-language-python",
- "url": "https://github.com/advisories/GHSA-h75v-3vvj-5mfj"
+ "url": "github"
},
"references": [
{
"id": "GHSA-h75v-3vvj-5mfj",
"source": {
"name": "github-language-python",
- "url": "https://github.com/advisories/GHSA-h75v-3vvj-5mfj"
+ "url": "github"
}
}
],
@@ -179,18 +180,18 @@
]
},
{
- "bom-ref": "urn:uuid:7fe3a93b-f8c9-47a5-a011-c1df27e18008",
+ "bom-ref": "urn:uuid:bc19600f-671f-4ed1-a166-a93ef6b69714",
"id": "GHSA-q2x7-8rv6-6q7h",
"source": {
"name": "github-language-python",
- "url": "https://github.com/advisories/GHSA-q2x7-8rv6-6q7h"
+ "url": "github"
},
"references": [
{
"id": "GHSA-q2x7-8rv6-6q7h",
"source": {
"name": "github-language-python",
- "url": "https://github.com/advisories/GHSA-q2x7-8rv6-6q7h"
+ "url": "github"
}
}
],
Metadata
Metadata
Assignees
Labels
Type
Projects
Status