Produces invalid SBOM file when CVSSv31 method is used in input

[lazka]

Input file: buginput.json

Passing the attached SBOM through cyclonedx-cli results in an invalid JSON:

$ cyclonedx --version                                                                
0.25.0
$ # it's valid
$ cyclonedx validate --input-file buginput.json
BOM validated successfully.

$ # converting breaks it
$ cyclonedx convert --input-file buginput.json --output-file converted.json
$ cyclonedx validate --input-file converted.json
Unable to validate against any JSON schemas.
BOM is not valid.

$ # merging breaks it too
$ cyclonedx merge --input-files buginput.json buginput.json --output-file merged.json
$ cyclonedx validate --input-file merged.json   
Unable to validate against any JSON schemas.
BOM is not valid.

from what I see the rating "method" gets encoded wrongly:

{
  "score": 3.3,
  "severity": "low",
  "method": "CVSSv31",
  "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
}

After:

{
  "score": 3.3,
  "severity": "low",
  "method": "CVSSv3.1",
  "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
}

[andreas-hilti]

Is this related to CycloneDX/cyclonedx-dotnet-library#261?

[mtsfoni]

Should be fixed in 0.25.1

[lazka]

Confirmed. Thanks!