Decoding of sparse CycloneDX does not set language #953
Description
What happened:
When using grype to check a CycloneDX SBOM not produced by syft, Java vulnerabilities were not detected.
What you expected to happen:
Vulnerabilities should be found by language when there is no CPE and no syft metadata
How to reproduce it (as minimally and precisely as possible):
Using a CycloneDX SBOM with minimal component info and known CVEs such as:
{
"name" : "log4j-core",
"version" : "2.13.3",
"purl" : "pkg:maven/org.apache.logging.log4j/[email protected]?type=jar",
"type" : "library",
"bom-ref" : "pkg:maven/org.apache.logging.log4j/[email protected]?type=jar"
},Running grype will not find any CVEs.
Anything else we need to know?:
PR coming shortly...
Environment:
- Output of
syft version: v0.42.4 - OS (e.g:
cat /etc/os-releaseor similar): any