Bug: cyclonedx-json vulnerabilities are not linked to components (different bomrefs) #980
Description
Pre-submission checks
- I am not filing an auditing error (false positive or negative). These must be reported to pypa/advisory-database instead.
- I agree to follow the PSF Code of Conduct.
- I have looked through the open issues for a duplicate report.
Expected behavior
I expected pip-audit -f cyclonedx-json to output a consistent cyclonedx formatted output.
Actual behavior
pip-audit -f cyclonedx-json > sbom.cdx.jsonresults in an inconsistent cyclonedx output- vulnerabilities cannot be linked back to their respective components
- the items in 'vulnerabilities' have no matching element in 'components' or 'dependencies' (different bom refs)
Reproduction steps
- create a venv
- install a few dependencies with known vulnerabilities (e.g. ecdsa==0.19.1)
pip-audit -f cyclonedx-json > sbom.cdx.json
The vulnerabilites section in sbom.cdx.json lists all vulnerabilities, while the components and dependencies section lists the components. The bomrefs of vulnerabilities and components don't match. Hence it is not possible to link back any single vulnerability to its component.
Example:
Note the bom-ref is different. In particular, BomRef.01660645784855508.09242731520484149 does not exist in the components nor in dependencies .
{
"components": [
{
"bom-ref": "BomRef.6483912449886295.15300150100341825",
"name": "ecdsa",
"type": "library",
"version": "0.19.1"
},
...],
"vulnerabilities": [
{
"bom-ref": "BomRef.01660645784855508.09242731520484149",
"description": "python-ecdsa has been found to be subject to a Miner ...",
"id": "GHSA-wj6h-64fc-37mp",
"recommendation": "Upgrade"
},
]
...
Logs
$ pipdeptree -p pip-audit
pip_audit==2.9.0
├── CacheControl [required: >=0.13.0, installed: 0.14.4]
│ ├── requests [required: >=2.16.0, installed: 2.32.3]
│ │ ├── charset-normalizer [required: >=2,<4, installed: 3.4.0]
│ │ ├── idna [required: >=2.5,<4, installed: 3.10]
│ │ ├── urllib3 [required: >=1.21.1,<3, installed: 2.2.3]
│ │ └── certifi [required: >=2017.4.17, installed: 2024.8.30]
│ └── msgpack [required: >=0.5.2,<2.0.0, installed: 1.1.0]
├── cyclonedx-python-lib [required: >=5,<10, installed: 11.5.0]
│ ├── license-expression [required: >=30,<31, installed: 30.4.4]
│ │ └── boolean.py [required: >=4.0, installed: 5.0]
│ ├── packageurl-python [required: >=0.11,<2, installed: 0.17.6]
│ ├── py-serializable [required: >=2.1.0,<3.0.0, installed: 2.1.0]
│ │ └── defusedxml [required: >=0.7.1,<0.8.0, installed: 0.7.1]
│ ├── sortedcontainers [required: >=2.4.0,<3.0.0, installed: 2.4.0]
│ └── typing_extensions [required: >=4.6,<5.0, installed: 4.15.0]
├── packaging [required: >=23.0.0, installed: 25.0]
├── pip-api [required: >=0.0.28, installed: 0.0.34]
│ └── pip [required: Any, installed: 25.3]
├── pip-requirements-parser [required: >=32.0.0, installed: 32.0.1]
│ ├── packaging [required: Any, installed: 25.0]
│ └── pyparsing [required: Any, installed: 3.2.0]
├── requests [required: >=2.31.0, installed: 2.32.3]
│ ├── charset-normalizer [required: >=2,<4, installed: 3.4.0]
│ ├── idna [required: >=2.5,<4, installed: 3.10]
│ ├── urllib3 [required: >=1.21.1,<3, installed: 2.2.3]
│ └── certifi [required: >=2017.4.17, installed: 2024.8.30]
├── rich [required: >=12.4, installed: 14.2.0]
│ ├── markdown-it-py [required: >=2.2.0, installed: 3.0.0]
│ │ └── mdurl [required: ~=0.1, installed: 0.1.2]
│ └── Pygments [required: >=2.13.0,<3.0.0, installed: 2.19.2]
├── toml [required: >=0.10, installed: 0.10.2]
└── platformdirs [required: >=4.2.0, installed: 4.3.6]
Additional context
This is likely due to how the cyclonedx format is constructed. I have not tried it but it would seem that it should link the component on Vulnerability(bom_ref=c.bom_ref, ...)
OS name, version, and architecture
Linux Mint 21.2
pip-audit version
pip-audit 2.9.0
pip version
pip 25.3
Python version
Python 3.11.6