Skip to content

fix(scoring): detect externalReferences under components[0] on v0.2 (#76)#85

Open
Rul1an wants to merge 1 commit into
GenAI-Security-Project:v0.2from
Rul1an:fix/external-references-scoring-v0.2
Open

fix(scoring): detect externalReferences under components[0] on v0.2 (#76)#85
Rul1an wants to merge 1 commit into
GenAI-Security-Project:v0.2from
Rul1an:fix/external-references-scoring-v0.2

Conversation

@Rul1an

@Rul1an Rul1an commented Jun 27, 2026

Copy link
Copy Markdown

Re-targets #82 to v0.2 per @eaglei15's request. v0.2 carries the same scoring
bug as main, so this is the same fix re-applied against the v0.2 registry and
scoring layout (the original branch was cut from main and would not give a clean
diff here).

What
external_references scores as missing in the component_basic category even when
the generated BOM has a populated externalReferences array, capping that field.
Fixes #76 on v0.2.

Root cause (confirmed present on v0.2)

  • field_registry.json uses the singular jsonpath $.component.externalReferences
    for the component_basic external_references field, but CycloneDX 1.6/1.7 place
    the array under $.components[0]. Every other component_basic field already uses
    $.components[0].*.
  • The fallback presence check in scoring.py compares the snake_case registry name
    external_references against the camelCase BOM key externalReferences, so neither
    path matches a populated field.

Change

  • field_registry.json: jsonpath -> $.components[0].externalReferences
    (scoring/detection path only).
  • scoring.py: a registry-name -> BOM-key alias map used by the fallback check, as
    defense-in-depth (also covers component_version -> version).
  • tests/test_scoring.py: a positive case (detection under components[0] via both
    the jsonpath and the fallback) and a negative guard (absent -> still False).

Verification
The positive regression fails on v0.2 before the change and all of
tests/test_scoring.py passes after it.

Scope
aibom_generation.location strings are left untouched; they use the separate
singular $.component. addressing scheme consistently across the registry, and
generated BOMs already place externalReferences under components[0], so this PR
stays limited to the scoring/detection bug. Happy to revisit the generation
convention separately if maintainers prefer.

Credit to the reporter for the precise root-cause analysis.

…enAI-Security-Project#76)

v0.2 carries the same scoring bug as main: the component_basic
external_references field uses the singular jsonpath
$.component.externalReferences (field_registry.json), and the fallback
presence check in scoring.py compares the snake_case registry name against
the camelCase BOM key, so a populated externalReferences array under
components[0] is scored as missing.

- field_registry.json: jsonpath -> $.components[0].externalReferences
  (scoring/detection path only; aibom_generation.location left untouched,
  consistent with the convention v0.2 already uses).
- scoring.py: a registry-name -> BOM-key alias map for the fallback check
  (also covers component_version -> version).
- tests/test_scoring.py: a positive regression (detection under
  components[0] via both jsonpath and fallback) and a negative guard.

Confirmed the regression reproduces on v0.2 (positive test fails before the
change) and all of tests/test_scoring.py passes after it.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant