sbomnix: NaNs in bom-ref for findings in vulnerabilities section in CycloneDX SBOMs

[andrew-myer]

Some findings in the vulnerabilities section of generated CycloneDX SBOMs have a bom-ref of NaN. This looks to be caused by a difference in derivation parsing between sbomnix and vulnix

vulnix parses the pname and version of a package by splitting the name of a derivation
https://github.com/nix-community/vulnix/blob/master/src/vulnix/derivation.py#L71
https://github.com/nix-community/vulnix/blob/master/src/vulnix/derivation.py#L20-L27

sbomnix reads the pname and version values from a derivation which seems more correct
https://github.com/tiiuae/sbomnix/blob/main/src/sbomnix/derivation.py#L67-L73

The difference in parsing for pname and version causes NaNs when the results are merged if the pname and version don't match.
https://github.com/tiiuae/sbomnix/blob/main/src/sbomnix/sbomdb.py#L243-L249

I think a fix would either be to remove vulnix as a scanner and rely on grype's and osv's SBOM scans or an update to vulnix parsing to match this projects parsing. Let me know what you think 😄

[henrirosten]

Thanks @andrew-myer, I'll get back to this in the next few days.

[henrirosten]

I would like to fix this in vulnix, but I assume it will take some time to get it fixed there.

Maybe we merge your fix in #133 first. I could take care of pushing the fix to vulnix, then re-enable the vulnix scan on the cdx sbom vulnerabilities section once the fix is available in the vulnix upstream.

[henrirosten]

Closing this issue, it's now resolved with following PRs:

• sbomnix: remove vulnix in CDX vuln section #133
• Re-enable vulnix scan for CDX vulns #135