Store cyclonedx vulnerability data as dict in place of json

tdruez · tdruez · commit a66516fd629c · 2025-12-26T17:41:55.000+04:00
Signed-off-by: tdruez &lt;tdruez@aboutcode.org&gt;
diff --git a/scanpipe/pipes/cyclonedx.py b/scanpipe/pipes/cyclonedx.py
@@ -190,7 +190,7 @@ def cyclonedx_component_to_package_data(
                 {
                     "vulnerability_id": str(cdx_vulnerability.id),
                     "summary": cdx_vulnerability.description,
-                    "cdx_vulnerability_json": cdx_vulnerability_json,
+                    "cdx_vulnerability_data": json.loads(cdx_vulnerability_json),
                 }
             )
 
diff --git a/scanpipe/tests/pipes/test_cyclonedx.py b/scanpipe/tests/pipes/test_cyclonedx.py
@@ -255,9 +255,8 @@ def test_scanpipe_cyclonedx_resolve_cyclonedx_packages_vulnerabilities(self):
             "Tar 1.15.1 does not properly warn the user when...",
             affected_by[0]["summary"],
         )
-        self.assertIn("cdx_vulnerability_json", affected_by[0])
-        vulnerability_json = affected_by[0]["cdx_vulnerability_json"]
-        cdx_vulnerability = json.loads(vulnerability_json)
+        self.assertIn("cdx_vulnerability_data", affected_by[0])
+        cdx_vulnerability_data = affected_by[0]["cdx_vulnerability_data"]
         expected = [
             "advisories",
             "affects",
@@ -268,7 +267,7 @@ def test_scanpipe_cyclonedx_resolve_cyclonedx_packages_vulnerabilities(self):
             "source",
             "updated",
         ]
-        self.assertEqual(expected, list(cdx_vulnerability.keys()))
+        self.assertEqual(expected, sorted(cdx_vulnerability_data.keys()))
 
     def test_scanpipe_cyclonedx_resolve_cyclonedx_packages_pre_validation(self):
         # This SBOM includes multiple deserialization issues that are "fixed"
diff --git a/scanpipe/tests/test_pipelines.py b/scanpipe/tests/test_pipelines.py
@@ -1639,13 +1639,12 @@ def test_scanpipe_load_sbom_pipeline_cyclonedx_with_vulnerabilities(self):
         self.assertEqual(1, project1.discoveredpackages.count())
         package = project1.discoveredpackages.get()
         affected_by = package.affected_by_vulnerabilities[0]
-        cdx_vulnerability_json = affected_by.pop("cdx_vulnerability_json")
+        cdx_vulnerability_data = affected_by.pop("cdx_vulnerability_data")
         expected = {
             "vulnerability_id": "CVE-2005-2541",
             "summary": "Tar 1.15.1 does not properly warn the user when...",
         }
         self.assertEqual(expected, affected_by)
-        cdx_vulnerability = json.loads(cdx_vulnerability_json)
         expected = [
             "advisories",
             "affects",
@@ -1656,7 +1655,7 @@ def test_scanpipe_load_sbom_pipeline_cyclonedx_with_vulnerabilities(self):
             "source",
             "updated",
         ]
-        self.assertEqual(expected, list(cdx_vulnerability.keys()))
+        self.assertEqual(expected, sorted(cdx_vulnerability_data.keys()))
 
     @mock.patch("scanpipe.pipes.purldb.request_post")
     @mock.patch("uuid.uuid4")

Original file line number	Diff line number	Diff line change
`@@ -190,7 +190,7 @@ def cyclonedx_component_to_package_data(`
`190`	`190`	`{`
`191`	`191`	`"vulnerability_id": str(cdx_vulnerability.id),`
`192`	`192`	`"summary": cdx_vulnerability.description,`
`193`		`- "cdx_vulnerability_json": cdx_vulnerability_json,`
	`193`	`+ "cdx_vulnerability_data": json.loads(cdx_vulnerability_json),`
`194`	`194`	`}`
`195`	`195`	`)`
`196`	`196`