fix(scoring): detect externalReferences under components[0] (#76)#82
Open
Rul1an wants to merge 1 commit into
Open
fix(scoring): detect externalReferences under components[0] (#76)#82Rul1an wants to merge 1 commit into
Rul1an wants to merge 1 commit into
Conversation
…curity-Project#76) external_references always scored as missing. Two independent causes: the field_registry jsonpath used the singular `$.component.externalReferences` while CycloneDX 1.6/1.7 place the array under `$.components[0]` (plural), and the fallback presence check compared the snake_case registry name `external_references` against the camelCase BOM key `externalReferences`, so neither path matched a populated field. - field_registry.json: correct the jsonpath to $.components[0].externalReferences - scoring.py: map registry field names to their CycloneDX keys in the fallback (defense-in-depth; also covers component_version -> version) - tests: detection under components[0] plus a negative guard A fully populated component_basic category now scores 20/20 again (previously capped at ~17.1/20). Thanks to the reporter for the precise root-cause analysis. Signed-off-by: Rul1an <roelschuurkes@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
external_referencesalways scored as missing in thecomponent_basiccategory, even when the generated BOM contained a populatedexternalReferencesarray, capping every model at ~17.1/20 there. Fixes #76.Root cause
Two independent detection issues:
field_registry.jsonused the singular jsonpath$.component.externalReferences, but CycloneDX 1.6/1.7 place the array under$.components[0](plural with index). Every othercomponent_basicfield already uses$.components[0].*.scoring.pycompared the snake_case registry nameexternal_referencesagainst the camelCase BOM keyexternalReferences, so neither path matched a populated field.Change
field_registry.json: jsonpath ->$.components[0].externalReferences(scoring/detection path only).scoring.py: a small registry-name -> BOM-key alias map used by the fallback check, as defense-in-depth (also coverscomponent_version->version).tests/test_scoring.py: a positive case (detection undercomponents[0]via both the jsonpath and the fallback) and a negative guard (absent -> still False).With both, a fully populated
component_basicscores 20/20 again.Scope
I left the
aibom_generation.locationstrings untouched. They use a separate singular-$.component.addressing scheme consistently across the registry (the component being generated, not the final BOM array), and generated BOMs already placeexternalReferencescorrectly undercomponents[0], so this PR stays limited to the scoring/detection bug. Happy to revisit the generation convention separately if maintainers prefer.Credit to the reporter for the precise root-cause analysis.