CycloneDX decode error: json: cannot unmarshal array into Go struct field Component.metadata.component.data of type cyclonedx.ComponentData

[kidmose]

Description

First off; Thanks for providing an awesome tool! :)

I've been using docker image cyclonedx/cyclonedx-cli to convert my CycloneDX XML SBOM into CycloneDX JSON and the checking it with aquasec/trivy for known vulnerabilities, as part of my gitlab pipelines.

This started failing recently, where trivy fails (cyclonedx-cli runs with no errors, producing an JSON SBOM):

...
Using docker image sha256:0238b6585f05abf96f54f1b23211ce459e7e524bb5d52142cf0d90490457a167 for aquasec/trivy with digest aquasec/trivy@sha256:ec9b6eb27be1eb0c97355e34183d3217d3f4f7566c53da5fd4f5bfbfcf87de60 ...
$ # Create template for TSV (Tab Separated Values) # collapsed multi-line command
$ # Run trivy to get a vulnerability table for the job log # collapsed multi-line command
Creating table of any vulnerabilities found from SBOM, outputting to log.
2025-07-03T06:37:42Z	INFO	[vulndb] Need to update DB
2025-07-03T06:37:42Z	INFO	[vulndb] Downloading vulnerability DB...
2025-07-03T06:37:42Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
66.18 MiB / 66.18 MiB [-------------------------------------------------] 100.00% 22.60 MiB p/s 3.1s
2025-07-03T06:37:45Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-07-03T06:37:45Z	INFO	[vuln] Vulnerability scanning is enabled
2025-07-03T06:37:45Z	INFO	Detected SBOM format	format="cyclonedx-json"
2025-07-03T06:37:45Z	FATAL	Fatal error	run error: sbom scan error: scan error: scan failed: failed analysis: SBOM decode error: failed to decode: CycloneDX decode error: CycloneDX decode error: json: cannot unmarshal array into Go struct field Component.metadata.component.data of type cyclonedx.ComponentData
Uploading artifacts for failed job
...

Comparing an old JSON SBOM that trivy analysed successfully, with a recent one that fails, I found that the only change (except timestamps) was that the key metadata.component.data was introduced (with [] as value) together with components.[].data for each referenced component (also with [] as the value for every single entry).

This coincides roughly with the cyclonedx/cyclonedx-cli:0.28.0 (and the first few path versions) being released and replacing latest.

Pinning to cyclonedx/cyclonedx-cli:0:27:0 fixed the problem for me

I found this commit on cyclonedx-cli that seems to be where the problem was introduced; data is introduced into what appears to be test data, and the reordering of keys in output (tags) also aligns with my diff of "good" and "bad" json inputs for trivy.

My conclusion is that it appears that trivy is not able to handle json generated according to v9.0.0 of the CycloneDX.Utils library that cyclonedx-cli has switched to with version 0.28.0.

From the specification I understand that the Component.metadata.component.data key should point to an array. I see nothing indicating that it must not be empty.

Is this a bug in trivy?

Desired Behavior

No error, SBOM analysed.

Actual Behavior

...
Using docker image sha256:0238b6585f05abf96f54f1b23211ce459e7e524bb5d52142cf0d90490457a167 for aquasec/trivy with digest aquasec/trivy@sha256:ec9b6eb27be1eb0c97355e34183d3217d3f4f7566c53da5fd4f5bfbfcf87de60 ...
$ # Create template for TSV (Tab Separated Values) # collapsed multi-line command
$ # Run trivy to get a vulnerability table for the job log # collapsed multi-line command
Creating table of any vulnerabilities found from SBOM, outputting to log.
2025-07-03T06:37:42Z	INFO	[vulndb] Need to update DB
2025-07-03T06:37:42Z	INFO	[vulndb] Downloading vulnerability DB...
2025-07-03T06:37:42Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
66.18 MiB / 66.18 MiB [-------------------------------------------------] 100.00% 22.60 MiB p/s 3.1s
2025-07-03T06:37:45Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-07-03T06:37:45Z	INFO	[vuln] Vulnerability scanning is enabled
2025-07-03T06:37:45Z	INFO	Detected SBOM format	format="cyclonedx-json"
2025-07-03T06:37:45Z	FATAL	Fatal error	run error: sbom scan error: scan error: scan failed: failed analysis: SBOM decode error: failed to decode: CycloneDX decode error: CycloneDX decode error: json: cannot unmarshal array into Go struct field Component.metadata.component.data of type cyclonedx.ComponentData
Uploading artifacts for failed job
...

Reproduction Steps

1.
2.
3.
...

Target

SBOM

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

not done

Operating System

docker

Version

.

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @kidmose
Thanks for your report!

We use official CycloneDX library. They already have issue and PR for this problem:
CycloneDX/cyclonedx-go#196
CycloneDX/cyclonedx-go#197

I asked them about this, so we will wait their answer.