refactor: moved Vulnerabilities to be nested inside the Component

madpah · madpah · commit 8b4034da82a0 · 2021-09-15T10:51:55.000+01:00
Signed-off-by: Paul Horton &lt;phorton@sonatype.com&gt;
diff --git a/cyclonedx/output/xml.py b/cyclonedx/output/xml.py
@@ -45,13 +45,15 @@ def output_as_string(self) -> str:
             ElementTree.register_namespace('v', Xml.get_vulnerabilities_namespace())
 
         components = ElementTree.SubElement(bom, 'components')
-        if self.get_bom().has_vulnerabilities():
-            vulnerabilities = ElementTree.SubElement(bom, 'v:vulnerabilities')
+        # if self.get_bom().has_vulnerabilities():
+        #     vulnerabilities = ElementTree.SubElement(bom, 'v:vulnerabilities')
 
         for component in self.get_bom().get_components():
-            components.append(self._get_component_as_xml_element(component=component))
+            component_element = self._get_component_as_xml_element(component=component)
+            components.append(component_element)
             if component.has_vulnerabilities() and self.component_supports_bom_ref():
                 # Vulnerabilities are only possible when bom-ref is supported by the main CycloneDX schema version
+                vulnerabilities = ElementTree.SubElement(component_element, 'v:vulnerabilities')
                 for vulnerability in component.get_vulnerabilities():
                     vulnerabilities.append(self._get_vulnerability_as_xml_element(bom_ref=component.get_purl(),
                                                                                   vulnerability=vulnerability))
diff --git a/tests/fixtures/bom_v1.3_setuptools_with_vulnerabilities.xml b/tests/fixtures/bom_v1.3_setuptools_with_vulnerabilities.xml
@@ -8,43 +8,43 @@
             <name>setuptools</name>
             <version>50.3.2</version>
             <purl>pkg:pypi/setuptools@50.3.2?extension=tar.gz</purl>
+            <v:vulnerabilities>
+                <v:vulnerability ref="pkg:pypi/setuptools@50.3.2?extension=tar.gz">
+                    <v:id>CVE-2018-7489</v:id>
+                    <v:source name="NVD">
+                        <v:url>https://nvd.nist.gov/vuln/detail/CVE-2018-7489</v:url>
+                    </v:source>
+                    <v:ratings>
+                        <v:rating>
+                            <v:score>
+                                <v:base>9.8</v:base>
+                                <v:impact>5.9</v:impact>
+                                <v:exploitability>3.0</v:exploitability>
+                            </v:score>
+                            <v:severity>Critical</v:severity>
+                            <v:method>CVSSv3</v:method>
+                            <v:vector>AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</v:vector>
+                        </v:rating>
+                        <v:rating>
+                            <v:severity>Low</v:severity>
+                            <v:method>OWASP Risk</v:method>
+                            <v:vector>OWASP/K9:M1:O0:Z2/D1:X1:W1:L3/C2:I1:A1:T1/F1:R1:S2:P3/50</v:vector>
+                        </v:rating>
+                    </v:ratings>
+                    <v:cwes>
+                        <v:cwe>123</v:cwe>
+                        <v:cwe>456</v:cwe>
+                    </v:cwes>
+                    <v:description>A description here</v:description>
+                    <v:recommendations>
+                        <v:recommendation>Upgrade</v:recommendation>
+                    </v:recommendations>
+                    <v:advisories>
+                        <v:advisory>http://www.securityfocus.com/bid/103203</v:advisory>
+                        <v:advisory>http://www.securitytracker.com/id/1040693</v:advisory>
+                    </v:advisories>
+                </v:vulnerability>
+            </v:vulnerabilities>
         </component>
     </components>
-    <v:vulnerabilities>
-        <v:vulnerability ref="pkg:pypi/setuptools@50.3.2?extension=tar.gz">
-            <v:id>CVE-2018-7489</v:id>
-            <v:source name="NVD">
-                <v:url>https://nvd.nist.gov/vuln/detail/CVE-2018-7489</v:url>
-            </v:source>
-            <v:ratings>
-                <v:rating>
-                    <v:score>
-                        <v:base>9.8</v:base>
-                        <v:impact>5.9</v:impact>
-                        <v:exploitability>3.0</v:exploitability>
-                    </v:score>
-                    <v:severity>Critical</v:severity>
-                    <v:method>CVSSv3</v:method>
-                    <v:vector>AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</v:vector>
-                </v:rating>
-                <v:rating>
-                    <v:severity>Low</v:severity>
-                    <v:method>OWASP Risk</v:method>
-                    <v:vector>OWASP/K9:M1:O0:Z2/D1:X1:W1:L3/C2:I1:A1:T1/F1:R1:S2:P3/50</v:vector>
-                </v:rating>
-            </v:ratings>
-            <v:cwes>
-                <v:cwe>123</v:cwe>
-                <v:cwe>456</v:cwe>
-            </v:cwes>
-            <v:description>A description here</v:description>
-            <v:recommendations>
-                <v:recommendation>Upgrade</v:recommendation>
-            </v:recommendations>
-            <v:advisories>
-                <v:advisory>http://www.securityfocus.com/bid/103203</v:advisory>
-                <v:advisory>http://www.securitytracker.com/id/1040693</v:advisory>
-            </v:advisories>
-        </v:vulnerability>
-    </v:vulnerabilities>
 </bom>
