CycloneDX output `metadata.properties` set to `null` instead of empty array or omitted.

[Cerebus]

What happened:

> grype -o cyclonedx-json python:3.12.2-slim > test-grype.json
> check-jsonschema --schemafile ./schema/bom-1.5.schema.json test-grype.json
Schema validation errors were encountered.
  test-grype.json::$.metadata.properties: None is not of type 'array'

What you expected to happen:
It should validate. E.g., after replacing metadata.properties: null with []:

> check-jsonschema --schemafile ./schema/bom-1.5.schema.json test-grype.json
ok -- validation done

How to reproduce it (as minimally and precisely as possible):

See above.

Anything else we need to know?:

Environment:
Application: grype
Version: 0.74.7
BuildDate: 2024-02-26T17:30:31Z
GitCommit: brew
GitDescription: [not provided]
Platform: darwin/amd64
GoVersion: go1.22.0
Compiler: gc
Syft Version: v0.105.1
Supported DB Schema: 5

[tgerla]

Hi @Cerebus, thank you for the report! We'll get this taken care of as soon as we can.

[wagoodman]

this is in the category of ensuring that all collections like this are allocated (currently this is omitempy)

[lucasrod16]

Hi @tgerla @wagoodman,

I am interested in working on this. It appears that the metadata.properties field gets initialized as a pointer that points to a nil slice, causing the null value.

It happens when ToFormatModel is called in the cyclonedx presenter, which ultimately calls toBomProperties. In toBomProperties, EncodeProperties returns a nil props slice and is returned as &props resulting in an initialized pointer with a nil slice as a value.

I have two potential solutions that I'd appreciate your feedback on before submitting a PR:

1. Set the metadata.properties field in grype to work around this behavior

cyclonedxBOM.Metadata.Properties = &[]cyclonedx.Property{} // populates the properties field as an empty array []
cyclonedxBOM.Metadata.Properties = nil // properties field does not get encoded

2. Add a nil check in syft to prevent returning an initialized pointer with a nil slice value

func toBomProperties(srcMetadata source.Description) *[]cyclonedx.Property {
	metadata, ok := srcMetadata.Metadata.(source.ImageMetadata)
	if ok {
		props := helpers.EncodeProperties(metadata.Labels, "syft:image:labels")
		if props == nil {
			return nil
		}
		return &props
	}
	return nil
}

I’m happy to implement either solution. Thanks!

[lucasrod16]

It's also worth noting that the cyclonedx-go maintainers have a desire to move away from using slice pointers. Removing usage of slice pointers upstream would be an ideal solution and would make issues like this less likely. Unfortunately I do not understand the XML parsing limitations well enough to contribute much to a solution at this point.

CycloneDX/cyclonedx-go#21

[kzantow]

@lucasrod16 it looks like the properties are optional, I'd opt for option 2, returning an accurate nil value

[lucasrod16]

@kzantow I have opened a PR to syft to return a nil value in toBomProperties anchore/syft#3119