Merge produces incorrect ratings.method Null values

wkoot commented 1 month ago

Version cyclonedx-cli:0.27.1, CycloneDX format 1.6

When trying to validate sbom that was produced with cyclonedx-cli merge, I get the following errors:

\"$.vulnerabilities[244].ratings[8].method: does not have a value in the enumeration [\\\"CVSSv2\\\", \\\"CVSSv3\\\", \\\"CVSSv31\\\", \\\"CVSSv4\\\", \\\"OWASP\\\", \\\"SSVC\\\", \\\"other\\\"]\",
\"$.vulnerabilities[244].ratings[9].method: does not have a value in the enumeration [\\\"CVSSv2\\\", \\\"CVSSv3\\\", \\\"CVSSv31\\\", \\\"CVSSv4\\\", \\\"OWASP\\\", \\\"SSVC\\\", \\\"other\\\"]\",
\"$.vulnerabilities[244].ratings[11].method: does not have a value in the enumeration [\\\"CVSSv2\\\", \\\"CVSSv3\\\", \\\"CVSSv31\\\", \\\"CVSSv4\\\", \\\"OWASP\\\", \\\"SSVC\\\", \\\"other\\\"]\", 
\"$.vulnerabilities[244].ratings[12].method: does not have a value in the enumeration [\\\"CVSSv2\\\", \\\"CVSSv3\\\", \\\"CVSSv31\\\", \\\"CVSSv4\\\", \\\"OWASP\\\", \\\"SSVC\\\", \\\"other\\\"]\",
\"$.vulnerabilities[245].ratings[0].method: does not have a value in the enumeration [\\\"CVSSv2\\\", \\\"CVSSv3\\\", \\\"CVSSv31\\\", \\\"CVSSv4\\\", \\\"OWASP\\\", \\\"SSVC\\\", \\\"other\\\"]\",
\"$.vulnerabilities[245].ratings[1].method: does not have a value in the enumeration [\\\"CVSSv2\\\", \\\"CVSSv3\\\", \\\"CVSSv31\\\", \\\"CVSSv4\\\", \\\"OWASP\\\", \\\"SSVC\\\", \\\"other\\\"]\", 
\"$.vulnerabilities[245].ratings[2].method: does not have a value in the enumeration [\\\"CVSSv2\\\", \\\"CVSSv3\\\", \\\"CVSSv31\\\", \\\"CVSSv4\\\", \\\"OWASP\\\", \\\"SSVC\\\", \\\"other\\\"]\",
\"$.vulnerabilities[245].ratings[4].method: does not have a value in the enumeration [\\\"CVSSv2\\\", \\\"CVSSv3\\\", \\\"CVSSv31\\\", \\\"CVSSv4\\\", \\\"OWASP\\\", \\\"SSVC\\\", \\\"other\\\"]\",
\"$.vulnerabilities[245].ratings[5].method: does not have a value in the enumeration [\\\"CVSSv2\\\", \\\"CVSSv3\\\", \\\"CVSSv31\\\", \\\"CVSSv4\\\", \\\"OWASP\\\", \\\"SSVC\\\", \\\"other\\\"]\",

Example part of erroneous data:

    {
      "id": "CVE-2021-3807",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed\u002Becosystem%3Anpm"
      },
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "score": 0,
          "severity": "medium",
          "method": "Null"
        },
        {
          "source": {
            "name": "ghsa"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 7.8,
          "severity": "high",
          "method": "CVSSv2",
          "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "score": 0,
          "severity": "medium",
          "method": "Null"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 7.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],

The original input data did not contain this information:

    {
      "id": "CVE-2021-3807",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anpm"
      },
      "ratings": [
        {
          "source": {
            "name": "alma"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "ghsa"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 7.8,
          "severity": "high",
          "method": "CVSSv2",
          "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"
        },
        {
          "source": {
            "name": "nvd"
          },
          "score": 7.5,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        {
          "source": {
            "name": "oracle-oval"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 7.5,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        }
      ],

Temporary workaround:

sed -i 's/"method": "Null"/"method": "other"/' "output_sbom.json"

andreas-hilti commented 1 month ago

I think there are a couple things wrong in Rating: src/CycloneDX.Core/Models/Vulnerabilities/Rating.cs

method should be serialized only if it is not "Null"
score should be nullable
severity should be nullable

and maybe more.

andreas-hilti commented 5 days ago

@wkoot This should be fixed in release 0.27.2.

CycloneDX / cyclonedx-cli

Merge produces incorrect ratings.method Null values #409