CycloneDX parser: KeyError on missing optional 'vector' field in ratings

[plzthx]

Description

The CycloneDX JSON parser unconditionally accesses rating["vector"] without checking for its presence, causing HTTP 500 errors on valid CycloneDX 1.6 documents. Per the spec (https://cyclonedx.org/docs/1.6/json/#vulnerabilities_items_ratings_items_vector), the vector field is optional in vulnerabilities[].ratings[]. NVD-sourced ratings frequently omit the vector field, making this a common real-world issue.

In our test of 52 services with auto-generated SBOMs, 50 failed import with KeyError because ratings lacked the vector field.

Steps to Reproduce

1. Generate or upload a valid CycloneDX 1.6 JSON with a vulnerability rating that omits vector:

{
  "vulnerabilities": [
    {
      "ref": "pkg:npm/lodash@4.17.21",
      "ratings": [
        {
          "source": { "name": "nvd:cpe" },
          "score": { "base": 7.5 }
          // note: no "vector" field
        }
      ]
    }
  ]
}

2. POST to /api/v2/scan_types/{scan_type_id}/upload/ or import via Django admin
3. Observe HTTP 500 with KeyError

Expected vs Actual

• Expected: Parser gracefully handles optional fields, defaults vector="" if missing, import succeeds
• Actual: KeyError on line 115 of dojo/tools/cyclonedx/json_parser.py, entire scan fails

Suggested Fix

Replace unconditional dict access with .get():

# Line 115
raw_vector = rating.get("vector", "")  # Matches CDX 1.6 optionality
cvssv3 = Cyclonedxhelper()._get_cvssv3(raw_vector)

Environment

• DefectDojo: 2.57.2
• Issue file: dojo/tools/cyclonedx/json_parser.py:115