Low EPSS scores are serialized in E-notation, causing validation to fail

[sschuberth]

Coming from here, it seems that an EPSS vulnerability score of 0.000760000 is serialized as "7.600000244565308E-4" (at least in XML), which causes https://cyclonedx.github.io/cyclonedx-web-tool/validate to fail with

The 'http://cyclonedx.org/schema/bom/1.5:score' element is invalid - The value '7.600000244565308E-4' is invalid according to its datatype 'http://www.w3.org/2001/XMLSchema:decimal' - The string '7.600000244565308E-4' is not a valid Decimal value.

Maybe a solution would be to force serialization always at some fixed precision. Or validation could be changed to accept E-notations for floating point numbers, but I guess that would be a harder task.

[mr-zepol]

Coming from here, it seems that an EPSS vulnerability score of 0.000760000 is serialized as "7.600000244565308E-4" (at least in XML), which causes https://cyclonedx.github.io/cyclonedx-web-tool/validate to fail with

The 'http://cyclonedx.org/schema/bom/1.5:score' element is invalid - The value '7.600000244565308E-4' is invalid according to its datatype 'http://www.w3.org/2001/XMLSchema:decimal' - The string '7.600000244565308E-4' is not a valid Decimal value.

Maybe a solution would be to force serialization always at some fixed precision. Or validation could be changed to accept E-notations for floating point numbers, but I guess that would be a harder task.

hey @sschuberth you have an example when the serialization fails? I am trying to reproduce this to try to fix it but without luck, we have done some changes/improvements lately so not sure if this has been fixed indirectly

[sschuberth]

Hi @mr-zepol, the issue originally occurred with data from CVE-2020-15250 as found in pkg:maven/junit/[email protected]. I'll try to reproduce it again and report back.