CycloneDX XML's Vulnerability Field cannot be unmarshalled into Component struct

[rxl7906]

What happened:

• Ran Grype Scan to produce CycloneDX XML output and tried to unmarshal it into the Component struct. However Vulnerabilities produce "nil" values.

What you expected to happen:

• We expected the Vulnerabilities to be populated with actual values.

How to reproduce it (as minimally and precisely as possible):

• Run Grype Scan to produce CycloneDX XML and unmarshal that output into a Component struct. This is what we see got decoded.

  {XMLName:{Space:http://cyclonedx.org/schema/bom/1.2 Local:component} Type:library Supplier: Author: Publisher: Group: Name:bash Version:5.0-4 Description: Licenses:<nil> PackageURL: Vulnerabilities:<nil>}

Anything else we need to know?:

Environment:

• Output of grype version:
• OS (e.g: cat /etc/os-release or similar):

[luhring]

Copying context from a community Slack thread to here:

Today we don’t actually use those structs for unmarshaling (input), only marshaling (output). So that’s why you’ll see there are no tests to assert behavior for the input path — it’s not a behavior we actually support.

That said, if there’s a solution to your problem has no adverse impact to our codebase and makes your life better, we’re very open to considering it, just like with [this] PR for the component field -> https://github.com/anchore/grype/pull/344

[spiffcs]

Hey @rxl7906! We've seen a couple of updates in grype over this past year. We wanted to see if the json solution you came up with was working correctly and if this might still be an issue for you?