From 6ccd460e59ce3900aa85bdc535d7972f223b454d Mon Sep 17 00:00:00 2001
From: cpendery <35637443+cpendery@users.noreply.github.com>
Date: Thu, 26 May 2022 13:44:12 -0400
Subject: [PATCH] fix: add component list to prevent cyclone-dx panic (#1015)

---
 internal/formats/common/cyclonedxhelpers/decoder.go  |  4 +++-
 .../formats/common/cyclonedxhelpers/decoder_test.go  | 12 ++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/internal/formats/common/cyclonedxhelpers/decoder.go b/internal/formats/common/cyclonedxhelpers/decoder.go
index 27215aa22..f255d1b22 100644
--- a/internal/formats/common/cyclonedxhelpers/decoder.go
+++ b/internal/formats/common/cyclonedxhelpers/decoder.go
@@ -31,7 +31,9 @@ func GetValidator(format cyclonedx.BOMFileFormat) sbom.Validator {
 
 func GetDecoder(format cyclonedx.BOMFileFormat) sbom.Decoder {
 	return func(reader io.Reader) (*sbom.SBOM, error) {
-		bom := &cyclonedx.BOM{}
+		bom := &cyclonedx.BOM{
+			Components: &[]cyclonedx.Component{},
+		}
 		err := cyclonedx.NewBOMDecoder(reader, format).Decode(bom)
 		if err != nil {
 			return nil, err
diff --git a/internal/formats/common/cyclonedxhelpers/decoder_test.go b/internal/formats/common/cyclonedxhelpers/decoder_test.go
index f55ef5b80..5f029bd3e 100644
--- a/internal/formats/common/cyclonedxhelpers/decoder_test.go
+++ b/internal/formats/common/cyclonedxhelpers/decoder_test.go
@@ -1,6 +1,8 @@
 package cyclonedxhelpers
 
 import (
+	"bytes"
+	"encoding/json"
 	"fmt"
 	"testing"
 
@@ -283,3 +285,13 @@ func Test_missingDataDecode(t *testing.T) {
 
 	assert.Len(t, pkg.Licenses, 0)
 }
+
+func Test_missingComponentsDecode(t *testing.T) {
+	bom := &cyclonedx.BOM{}
+	bomBytes, _ := json.Marshal(&bom)
+	decode := GetDecoder(cyclonedx.BOMFileFormatJSON)
+
+	_, err := decode(bytes.NewReader(bomBytes))
+
+	assert.NoError(t, err)
+}