Not using version numbers from json SPDX SBOM

[ed-erwin-tf]

When scanning my json SBOM file, bomber 0.5.1 does not appear to be finding and using the version numbers of my java maven dependencies, even though that information is in the SBOM in the referenceLocator.

My SBOM json file is in format SPDX-2.3. Bomber version 0.5.1 on windows x64.

For example, this is in my SBOM for commons-io library:

        {
            "name": "commons-io:commons-io",
            "SPDXID": "SPDXRef-maven-commons-io-commons-io-2.18.0-895d2c",
            "versionInfo": "2.18.0",
            "downloadLocation": "NOASSERTION",
            "filesAnalyzed": false,
            "licenseConcluded": "Apache-2.0",
            "copyrightText": "Copyright 2002-2024 The Apache Software Foundation",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceType": "purl",
                    "referenceLocator": "pkg:maven/commons-io/commons-io@2.18.0"
                }
            ]
        },

The bomber output is reporting vulnerabilities for old commons-io, such as versions before 2.7.

(This is happening for all packages, not just commons-io.)

[djschleen]

Thanks for reporting. We'll take a look.