From 515190df931bdfbd943b1ca1c68139929647d014 Mon Sep 17 00:00:00 2001
From: boris <boris@tomosystech.com>
Date: Tue, 27 Jun 2023 21:41:23 +0400
Subject: [PATCH] Fix Vulnerabiliry Extension Deserialization Problem

Signed-off-by: bors2908 <bors2908@gmail.com>
---
 .../cyclonedx/util/ExtensionDeserializer.java | 34 ++++++++++++++-----
 1 file changed, 25 insertions(+), 9 deletions(-)

diff --git a/src/main/java/org/cyclonedx/util/ExtensionDeserializer.java b/src/main/java/org/cyclonedx/util/ExtensionDeserializer.java
index 280b7a471..31fba4d26 100644
--- a/src/main/java/org/cyclonedx/util/ExtensionDeserializer.java
+++ b/src/main/java/org/cyclonedx/util/ExtensionDeserializer.java
@@ -210,30 +210,46 @@ private List<Rating> processRatings(final JsonNode ratings) {
     if (ratings != null) {
       if (ratings.isArray() && !ratings.isEmpty()) {
         for (JsonNode rating : ratings) {
-          ratingsList.add(processRating(rating));
+          ratingsList.addAll(processRatingIntermediate(rating));
         }
       } else {
-        ratingsList.add(processRating(ratings));
+        ratingsList.addAll(processRatingIntermediate(ratings));
       }
     }
     return ratingsList.isEmpty() ? null : ratingsList;
   }
 
-  private Rating processRating(final JsonNode ratingNode) {
-    Rating rating = new Rating();
+  private List<Rating> processRatingIntermediate(final JsonNode ratingNode) {
+    List<Rating> ratingsList = new ArrayList<>();
+
     JsonNode r = ratingNode.get(Vulnerability10.RATING);
+
     if (r != null) {
-      if (r.get(Vulnerability10.SCORE) != null) {
+      if (r.isArray() && !r.isEmpty()) {
+        for (JsonNode rating : r) {
+          ratingsList.add(processRating(rating));
+        }
+      } else {
+        ratingsList.add(processRating(r));
+      }
+    }
+    return ratingsList;
+  }
+
+  private Rating processRating(final JsonNode ratingNode) {
+    Rating rating = new Rating();
+    if (ratingNode != null) {
+      if (ratingNode.get(Vulnerability10.SCORE) != null) {
         Score score = new Score();
-        JsonNode s = r.get(Vulnerability10.SCORE);
+        JsonNode s = ratingNode.get(Vulnerability10.SCORE);
         score.setBase(getAsDouble(Vulnerability10.BASE, s));
         score.setImpact(getAsDouble(Vulnerability10.IMPACT, s));
         score.setExploitability(getAsDouble(Vulnerability10.EXPLOITABILITY, s));
         rating.setScore(score);
       }
-      rating.setSeverity(Severity.fromString(getAsString(Vulnerability10.SEVERITY, r)));
-      rating.setMethod(ScoreSource.fromString(getAsString(Vulnerability10.METHOD, r)));
-      rating.setVector(getAsString(Vulnerability10.VECTOR, r));
+      rating.setSeverity(Severity.fromString(getAsString(Vulnerability10.SEVERITY, ratingNode)));
+      rating.setMethod(ScoreSource.fromString(getAsString(Vulnerability10.METHOD, ratingNode)));
+      rating.setVector(getAsString(Vulnerability10.VECTOR, ratingNode));
     }
 
     return rating;