CycloneDX / cyclonedx-go

Currently vulnerabilities.ratings.score is a non required field in the spec. The library however serializes absent scores as 0 in VEX documents. This is probably because score is a float field

cyclonedx-go/cyclonedx.go

Line 637 in 6c388c4

Score float64 `json:"score" xml:"score"`

instead of a float pointer in which case we could omit it in case it is set to nil.

For example see BOMs at anchore/grype#678

Good catch and thx for reporting, @samj1912! Fixed in v0.5.1.

[bug] BOMEncoder for vulnerabilities adds a default score of 0 if not specified