Unable to unmarshal SBOM JSON with empty arrays #236
Description
Hi,
I found out that following JSON cannot be unmarshalled (and later breaks Trivy scan).
When I run validation, it is OK.
Currently I am doing on-the-fly removal of empty arrays to be able to process this kind of SBOMs.
Is it bug? Or am I missing something...
Thanks
Ivos
Validation command
$ docker run -v /mnt/c/Users/IvoŠmíd/AppData/Local/Temp/trivy-my-data10869558806170805350:/my-temp cyclonedx/cyclonedx-cli validate --input-file /my-temp/1.69.62_ios.json
BOM validated successfully.
SBOM (some part were deleted not to make it huge)
{
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:85992d24-4f1d-41cd-a357-e498f4daeb46",
"version": 1,
"metadata": {
"timestamp": "2025-07-22T12:49:10Z",
"tools": {
"components": [
{
"type": "application",
"authors": [],
"group": "CycloneDX",
"name": "cyclonedx-cocoapods",
"version": "2.0.1",
"hashes": [],
"omniborId": [],
"swhid": [],
"externalReferences": [],
"properties": [],
"components": [],
"data": [],
"tags": []
}
]
},
"lifecycles": []
},
"components": [
{
"type": "library",
"bom-ref": "pkg:cocoapods/[email protected]",
"authors": [],
"author": "Adjust <[email protected]>",
"publisher": "Adjust <[email protected]>",
"name": "Adjust",
"version": "5.1.1",
"description": "This is the iOS SDK of Adjust. You can read more about it at https://adjust.com.",
"hashes": [
{
"alg": "SHA-1",
"content": "5f5e998cf1446d44d93f91ec8b7b7dd40eaa922d"
}
],
"licenses": [
{
"license": {
"id": "MIT",
"properties": []
}
}
],
"purl": "pkg:cocoapods/[email protected]",
"omniborId": [],
"swhid": [],
"externalReferences": [
{
"url": "https://github.com/adjust/ios_sdk",
"type": "website",
"hashes": []
}
],
"evidence": {
"identity": {
"field": "purl",
"confidence": 0.6,
"methods": [
{
"technique": "manifest-analysis",
"confidence": 0.6,
"value": "ios/Podfile.lock"
}
]
},
"occurrences": []
},
"data": [],
"tags": []
}
],
"dependencies": [
{
"ref": "pkg:cocoapods/[email protected]",
"dependsOn": [
"pkg:cocoapods/[email protected]#Adjust"
],
"provides": []
}
],
"vulnerabilities": [],
"annotations": [],
"properties": [],
"formulation": []
}output when run by Trivy (see aquasecurity/trivy#9246)
2025-07-25T06:21:05Z FATAL Fatal error
- sbom scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.Run
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:403
- scan error:
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:262
- scan failed:
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan
/home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:630
- failed analysis:
github.com/aquasecurity/trivy/pkg/scan.Service.ScanArtifact
/home/runner/work/trivy/trivy/pkg/scan/service.go:166
- SBOM decode error:
github.com/aquasecurity/trivy/pkg/fanal/artifact/sbom.Artifact.Inspect
/home/runner/work/trivy/trivy/pkg/fanal/artifact/sbom/sbom.go:57
- failed to decode:
github.com/aquasecurity/trivy/pkg/sbom.Decode
/home/runner/work/trivy/trivy/pkg/sbom/sbom.go:227
- CycloneDX decode error:
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*BOM).UnmarshalJSON
/home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/unmarshal.go:46
- CycloneDX decode error:
github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.DecodeJSON
/home/runner/work/trivy/trivy/pkg/sbom/cyclonedx/unmarshal.go:33
- json: cannot unmarshal object into Go struct field Metadata.metadata.tools of type []cyclonedx.Tool