From 59e4a4c1c80b7c5dd4de77c55af7d9c0840aebf7 Mon Sep 17 00:00:00 2001 From: Sai Asish Y Date: Tue, 12 May 2026 13:24:45 -0700 Subject: [PATCH] fix(schema): avoid nil pointer panic when vulnerability analysis omits response (#148) Signed-off-by: Sai Asish Y --- schema/bom_hash.go | 4 +++- schema/bom_hash_test.go | 21 +++++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/schema/bom_hash.go b/schema/bom_hash.go index 84d6271d..c0a6ae7f 100644 --- a/schema/bom_hash.go +++ b/schema/bom_hash.go @@ -389,7 +389,9 @@ func (bom *BOM) HashmapVulnerability(cdxVulnerability CDXVulnerability, whereFil vulnInfo.AnalysisJustification = VULN_ANALYSIS_STATE_EMPTY } - vulnInfo.AnalysisResponse = *cdxVulnerability.Analysis.Response + if cdxVulnerability.Analysis.Response != nil { + vulnInfo.AnalysisResponse = *cdxVulnerability.Analysis.Response + } if len(vulnInfo.AnalysisResponse) == 0 { vulnInfo.AnalysisResponse = []string{VULN_ANALYSIS_STATE_EMPTY} } diff --git a/schema/bom_hash_test.go b/schema/bom_hash_test.go index 86fd6c59..020f22d4 100644 --- a/schema/bom_hash_test.go +++ b/schema/bom_hash_test.go @@ -423,6 +423,27 @@ func TestHashZeroCDXVulnerabilityStruct(t *testing.T) { } } +// Regression test for https://github.com/CycloneDX/sbom-utility/issues/148 : +// a vulnerability with an `analysis` object that omits the optional `response` +// array must not cause a nil pointer dereference panic. +func TestHashCDXVulnerabilityAnalysisWithoutResponse(t *testing.T) { + cdxVulnerability := CDXVulnerability{ + Id: "CVE-2026-0000", + Analysis: &CDXAnalysis{ + State: "exploitable", + }, + } + document := NewBOM("") + hashed, err := document.HashmapVulnerability(cdxVulnerability, nil) + if err != nil { + t.Error(err) + return + } + if !hashed { + t.Error(getLogger().Errorf("expected non-empty vulnerability to be hashed.")) + } +} + // ---------------------- // License Hashing // ----------------------