fix(scoring): detect externalReferences under components[0] on v0.2 (#76)#85
Open
Rul1an wants to merge 1 commit into
Open
Conversation
…enAI-Security-Project#76) v0.2 carries the same scoring bug as main: the component_basic external_references field uses the singular jsonpath $.component.externalReferences (field_registry.json), and the fallback presence check in scoring.py compares the snake_case registry name against the camelCase BOM key, so a populated externalReferences array under components[0] is scored as missing. - field_registry.json: jsonpath -> $.components[0].externalReferences (scoring/detection path only; aibom_generation.location left untouched, consistent with the convention v0.2 already uses). - scoring.py: a registry-name -> BOM-key alias map for the fallback check (also covers component_version -> version). - tests/test_scoring.py: a positive regression (detection under components[0] via both jsonpath and fallback) and a negative guard. Confirmed the regression reproduces on v0.2 (positive test fails before the change) and all of tests/test_scoring.py passes after it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Re-targets #82 to v0.2 per @eaglei15's request. v0.2 carries the same scoring
bug as main, so this is the same fix re-applied against the v0.2 registry and
scoring layout (the original branch was cut from main and would not give a clean
diff here).
What
external_references scores as missing in the component_basic category even when
the generated BOM has a populated externalReferences array, capping that field.
Fixes #76 on v0.2.
Root cause (confirmed present on v0.2)
for the component_basic external_references field, but CycloneDX 1.6/1.7 place
the array under $.components[0]. Every other component_basic field already uses
$.components[0].*.
external_references against the camelCase BOM key externalReferences, so neither
path matches a populated field.
Change
(scoring/detection path only).
defense-in-depth (also covers component_version -> version).
the jsonpath and the fallback) and a negative guard (absent -> still False).
Verification
The positive regression fails on v0.2 before the change and all of
tests/test_scoring.py passes after it.
Scope
aibom_generation.location strings are left untouched; they use the separate
singular $.component. addressing scheme consistently across the registry, and
generated BOMs already place externalReferences under components[0], so this PR
stays limited to the scoring/detection bug. Happy to revisit the generation
convention separately if maintainers prefer.
Credit to the reporter for the precise root-cause analysis.