From f4734d28b391800f824a89712897daf19237812c Mon Sep 17 00:00:00 2001
From: Keith Zantow <kzantow@gmail.com>
Date: Thu, 17 Mar 2022 10:22:35 -0400
Subject: [PATCH] Fix panic when CycloneDX BOM missing metadata.component
 (#895)

---
 .../formats/common/cyclonedxhelpers/decoder.go    |  2 +-
 .../common/cyclonedxhelpers/decoder_test.go       | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/internal/formats/common/cyclonedxhelpers/decoder.go b/internal/formats/common/cyclonedxhelpers/decoder.go
index 566ffd141..43ff2607b 100644
--- a/internal/formats/common/cyclonedxhelpers/decoder.go
+++ b/internal/formats/common/cyclonedxhelpers/decoder.go
@@ -46,7 +46,7 @@ func GetDecoder(format cyclonedx.BOMFileFormat) sbom.Decoder {
 
 func toSyftModel(bom *cyclonedx.BOM) (*sbom.SBOM, error) {
 	meta := source.Metadata{}
-	if bom.Metadata != nil {
+	if bom.Metadata != nil && bom.Metadata.Component != nil {
 		meta = decodeMetadata(bom.Metadata.Component)
 	}
 	s := &sbom.SBOM{
diff --git a/internal/formats/common/cyclonedxhelpers/decoder_test.go b/internal/formats/common/cyclonedxhelpers/decoder_test.go
index e18e89f0a..40b95b9dd 100644
--- a/internal/formats/common/cyclonedxhelpers/decoder_test.go
+++ b/internal/formats/common/cyclonedxhelpers/decoder_test.go
@@ -258,3 +258,18 @@ func Test_decode(t *testing.T) {
 		})
 	}
 }
+
+func Test_missingDataDecode(t *testing.T) {
+	bom := &cyclonedx.BOM{
+		Metadata:   nil,
+		Components: &[]cyclonedx.Component{},
+	}
+
+	_, err := toSyftModel(bom)
+	assert.NoError(t, err)
+
+	bom.Metadata = &cyclonedx.Metadata{}
+
+	_, err = toSyftModel(bom)
+	assert.NoError(t, err)
+}