CycloneDX Reporter uses EPSS score without that method being set

[wkl3nk]

Describe the bug

During a scan, a CycloneDX report is requested.
In the CycloneDX SBOM document (version 1.5), is contains a section as follows:

...
  <vulnerabilities>
    <vulnerability>
      <id>CVE-2020-15250</id>
      <ratings>
        <rating>
          <source>
            <url>https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15250.json</url>
          </source>
          <score>4.0</score>
          <severity>medium</severity>
        </rating>
        <rating>
          <source>
            <url>https://api.first.org/data/v1/epss?cve=CVE-2020-15250</url>
          </source>
          <score>7.600000244565308E-4</score>
        </rating>
...

Cross-checking with the related XML schema file, the data type for score is xs:Decimal.

<xs:element name="score" type="xs:decimal" minOccurs="0" maxOccurs="1">

The number 7.600000244565308E-4 seems to have the wrong representation here.

ORT version: 42.0.0

[sschuberth]

What's the score of that vulnerability in ORT's advisor result? Can you also double-check with the JSON representation of the same CycloneDX report? Because there are several XML-specific bugs in the CycloneDX Java library.

[sschuberth]

<score>7.600000244565308E-4</score>

This simply looks like the EPSS value is being used instead of the CVSS base score.

[sschuberth]

@wkl3nk can you try what you get with #9557?

[sschuberth]

Cross-checking with the related XML schema file, the data type for score is xs:Decimal.

Interesting. The CycloneDX Java library that we use, uses Double in its API (which makes sense). So I believe this to be a bug in the XML schema that you should report upstream.

Edit: Scratch that, `xs:decimal does include floating-point numbers.

[wkl3nk]

I guess it is beneficial if I give more context:
A user of ORT Server had this bom.cyclonedx.xml file generated. His goal was to upload the BOM to "Dependency Track". He has checked out the issue with different boms and some are accepted by DT, while others are not. He found a validator for the schema at https://cyclonedx.github.io/cyclonedx-web-tool/validate and there he got the information

Validation failed at line number 380 and position 40: The 'http://cyclonedx.org/schema/bom/1.5:score' element is invalid - The value '7.600000244565308E-4' is invalid according to its datatype 'http://www.w3.org/2001/XMLSchema:decimal' - The string '7.600000244565308E-4' is not a valid Decimal value.

[sschuberth]

Ok, but still, this is nothing we can fix on our side, I believe. IMO the problem is with how the CycloneDX Java library serializes this specific double value.

[sschuberth]

@wkl3nk can you try what you get with #9557?

Please still give my PR a try. If should more reliable add the respective method, and maybe we can simply filter out EPSS values that way, as they tend to be small, resulting in those E-notation serializations.

[sschuberth]

maybe we can simply filter out EPSS values that way, as they tend to be small, resulting in those E-notation serializations.

I've implemented that now.

[sschuberth]

So I believe this to be a bug in the XML schema that you should report upstream.

The bug is not in the schema, but IMO in the serialization library (at least that's probably the easiest place to fix it), so I've filed this.