chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.5.0 to 0.5.1 (#1926)

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: knqyf263 <knqyf263@gmail.com>
2025-12-12 07:40:48 -08:00 · 2022-04-26 19:39:38 +03:00
parent b6baa65ff2
commit 55f29b8fb2
4 changed files with 19 additions and 15 deletions
--- a/go.mod
+++ b/go.mod
@@ -3,7 +3,7 @@ module github.com/aquasecurity/trivy
 go 1.18

 require (
-	github.com/CycloneDX/cyclonedx-go v0.5.0
+	github.com/CycloneDX/cyclonedx-go v0.5.1
 	github.com/Masterminds/sprig/v3 v3.2.2
 	github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
@@ -34,6 +34,7 @@ require (
 	github.com/open-policy-agent/opa v0.39.0
 	github.com/owenrumney/go-sarif/v2 v2.1.1
 	github.com/package-url/packageurl-go v0.1.1-0.20220203205134-d70459300c8a
+	github.com/samber/lo v1.16.0
 	github.com/spf13/afero v1.8.1 // indirect
 	github.com/stretchr/testify v1.7.1
 	github.com/testcontainers/testcontainers-go v0.12.0
@@ -151,7 +152,6 @@ require (
 	github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/samber/lo v1.15.0 // indirect
 	github.com/saracen/walker v0.0.0-20191201085201-324a081bae7e // indirect
 	github.com/sergi/go-diff v1.1.0 // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -139,8 +139,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/toml v1.1.0 h1:ksErzDEI1khOiGPgpwuI7x2ebx/uXQNw7xJpn9Eq1+I=
 github.com/BurntSushi/toml v1.1.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/CycloneDX/cyclonedx-go v0.5.0 h1:RWCnu2OrWUTF5C9DA3L0qVziUD2HlxSUWcL2OXlxfqE=
-github.com/CycloneDX/cyclonedx-go v0.5.0/go.mod h1:nQXAzrejxO39b14JFz2SvsUElegYfwBDowIzqjdUMk4=
+github.com/CycloneDX/cyclonedx-go v0.5.1 h1:5sUznp+OO6JpjRoOaCEEUOaRCuTjsMkMAxJIdZiSRaw=
+github.com/CycloneDX/cyclonedx-go v0.5.1/go.mod h1:nQCiF4Tvrg5Ieu8qPhYMvzPGMu5I7fANZkrSsJjl5mg=
 github.com/Djarvur/go-err113 v0.0.0-20200410182137-af658d038157/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs=
 github.com/Djarvur/go-err113 v0.1.0/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs=
 github.com/Flaque/filet v0.0.0-20201012163910-45f684403088 h1:PnnQln5IGbhLeJOi6hVs+lCeF+B1dRfFKPGXUAez0Ww=
@@ -1348,8 +1348,8 @@ github.com/ryancurrah/gomodguard v1.0.4/go.mod h1:9T/Cfuxs5StfsocWr4WzDL36HqnX0f
 github.com/ryancurrah/gomodguard v1.1.0/go.mod h1:4O8tr7hBODaGE6VIhfJDHcwzh5GUccKSJBU0UMXJFVM=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4=
-github.com/samber/lo v1.15.0 h1:oCv6DoDkpUyfHxJdWJSzClCO/V/1Si9TjWFH1OZWf6I=
-github.com/samber/lo v1.15.0/go.mod h1:2I7tgIv8Q1SG2xEIkRq0F2i2zgxVpnyPOP0d3Gj2r+A=
+github.com/samber/lo v1.16.0 h1:+6T6SrR32p8Ve8gckYnpsN63pHB3/53ZPw6R/CwufCc=
+github.com/samber/lo v1.16.0/go.mod h1:2I7tgIv8Q1SG2xEIkRq0F2i2zgxVpnyPOP0d3Gj2r+A=
 github.com/saracen/walker v0.0.0-20191201085201-324a081bae7e h1:NO86zOn5ScSKW8wRbMaSIcjDZUFpWdCQQnexRqZ9h9A=
 github.com/saracen/walker v0.0.0-20191201085201-324a081bae7e/go.mod h1:G0Z6yVPru183i2MuRJx1DcR4dgIZtLcTdaaE/pC1BJU=
 github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b/go.mod h1:am+Fp8Bt506lA3Rk3QCmSqmYmLMnPDhdDUcosQCAx+I=
--- a/pkg/report/cyclonedx/cyclonedx.go
+++ b/pkg/report/cyclonedx/cyclonedx.go
@@ -468,7 +468,10 @@ func ratings(vulnerability types.DetectedVulnerability) *[]cdx.VulnerabilityRati
 		if rates[i].Method != rates[j].Method {
 			return rates[i].Method < rates[j].Method
 		}
-		return rates[i].Score < rates[j].Score
+		if rates[i].Score != nil && rates[j].Score != nil {
+			return *rates[i].Score < *rates[j].Score
+		}
+		return rates[i].Vector < rates[j].Vector
 	})
 	return &rates
 }
@@ -485,7 +488,7 @@ func ratingV2(sourceID dtypes.SourceID, severity dtypes.Severity, cvss dtypes.CV
 		Source: &cdx.Source{
 			Name: string(sourceID),
 		},
-		Score:    cvss.V2Score,
+		Score:    &cvss.V2Score,
 		Method:   cdx.ScoringMethodCVSSv2,
 		Severity: cdxSeverity,
 		Vector:   cvss.V2Vector,
@@ -510,7 +513,7 @@ func ratingV3(sourceID dtypes.SourceID, severity dtypes.Severity, cvss dtypes.CV
 		Source: &cdx.Source{
 			Name: string(sourceID),
 		},
-		Score:    cvss.V3Score,
+		Score:    &cvss.V3Score,
 		Method:   cdx.ScoringMethodCVSSv3,
 		Severity: toCDXSeverity(severity),
 		Vector:   cvss.V3Vector,
--- a/pkg/report/cyclonedx/cyclonedx_test.go
+++ b/pkg/report/cyclonedx/cyclonedx_test.go
@@ -10,6 +10,7 @@ import (
 	cdx "github.com/CycloneDX/cyclonedx-go"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/uuid"
+	"github.com/samber/lo"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	fake "k8s.io/utils/clock/testing"
@@ -335,7 +336,7 @@ func TestWriter_Write(t *testing.T) {
 									Name: string(vulnerability.NVD),
 									URL:  "",
 								},
-								Score:    4.3,
+								Score:    lo.ToPtr(4.3),
 								Severity: cdx.SeverityMedium,
 								Method:   cdx.ScoringMethodCVSSv2,
 								Vector:   "AV:N/AC:M/Au:N/C:N/I:N/A:P",
@@ -345,7 +346,7 @@ func TestWriter_Write(t *testing.T) {
 									Name: string(vulnerability.NVD),
 									URL:  "",
 								},
-								Score:    5.5,
+								Score:    lo.ToPtr(5.5),
 								Severity: cdx.SeverityMedium,
 								Method:   cdx.ScoringMethodCVSSv3,
 								Vector:   "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
@@ -355,7 +356,7 @@ func TestWriter_Write(t *testing.T) {
 									Name: string(vulnerability.RedHatOVAL),
 									URL:  "",
 								},
-								Score:    5.3,
+								Score:    lo.ToPtr(5.3),
 								Severity: cdx.SeverityMedium,
 								Method:   cdx.ScoringMethodCVSSv3,
 								Vector:   "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
@@ -697,7 +698,7 @@ func TestWriter_Write(t *testing.T) {
 								Source: &cdx.Source{
 									Name: string(vulnerability.NVD),
 								},
-								Score:    9.7,
+								Score:    lo.ToPtr(9.7),
 								Severity: cdx.SeverityHigh,
 								Method:   cdx.ScoringMethodCVSSv2,
 								Vector:   "AV:N/AC:L/Au:N/C:C/I:P/A:C",
@@ -706,7 +707,7 @@ func TestWriter_Write(t *testing.T) {
 								Source: &cdx.Source{
 									Name: string(vulnerability.NVD),
 								},
-								Score:    5.9,
+								Score:    lo.ToPtr(5.9),
 								Severity: cdx.SeverityMedium,
 								Method:   cdx.ScoringMethodCVSSv31,
 								Vector:   "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
@@ -715,7 +716,7 @@ func TestWriter_Write(t *testing.T) {
 								Source: &cdx.Source{
 									Name: string(vulnerability.RedHat),
 								},
-								Score:    5.9,
+								Score:    lo.ToPtr(5.9),
 								Severity: cdx.SeverityLow,
 								Method:   cdx.ScoringMethodCVSSv31,
 								Vector:   "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",