From ef467df511b25b8fdd4d633c43f678bd5d638d57 Mon Sep 17 00:00:00 2001
From: knqyf263 <knqyf263@gmail.com>
Date: Fri, 22 Nov 2024 15:06:42 +0400
Subject: [PATCH] fix(vex): add fail-safe

Signed-off-by: knqyf263 <knqyf263@gmail.com>
---
 pkg/vex/vex.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkg/vex/vex.go b/pkg/vex/vex.go
index e9ad15233b04..827285295c6b 100644
--- a/pkg/vex/vex.go
+++ b/pkg/vex/vex.go
@@ -181,6 +181,11 @@ func reachRoot(leaf *core.Component, components map[uuid.UUID]*core.Component, p
 			return false
 		} else if c.Root {
 			return true
+		} else if len(parents[c.ID()]) == 0 {
+			// Should never reach here as all components other than the root should have at least one parent.
+			// If it does, it means the component tree is not connected due to a bug in the SBOM generation.
+			// In this case, so as not to filter out all the vulnerabilities accidentally, return true for fail-safe.
+			return true
 		}
 
 		visited[c.ID()] = true