Importing CycloneDX BOM

[software-testing-professional]

I created a CycloneDX file using 'OSS review toolkit'.
When I import the CycloneDX file into DefectDojo, it results in ''CycloneDX Scan processed a total of 0 findings."

If I run the OSS review toolkit again and choose another report format (HTML for example), then all rule violations are shown.

As far as I understand the CycloneDX spec, findings / rule violations are not part of the BOM file.
So what should happen in DefectDojo, if a CycloneDX BOM is imported?

Appreciate your help! :-)

Best regards, Michael

[damiencarol]

Which version of CyclonDX do you use? Since 1.4, the spec support findings directly in the report.

[software-testing-professional]

Thank you for your quick response.
OSS review toolkit uses 1.3 per default.

I tried to change that via Parameter -O CycloneXD=schema.version=1.4.
Which seems to have an effect on the XML output.

<bom serialNumber="urn:uuid:5039a736-5015-4b1f-904a-65735782c4c7" version="1" xmlns="http://cyclonedx.org/schema/bom/1.4">

And I just had a look at the CycloneXD 1.4 JSON schema (https://cyclonedx.org/docs/1.4/json/#vulnerabilities).
There I can only find vulnerabilities. But no rule violations / findings.

Is the purpose of a CycloneDX import then to create DefectDojo findings for each vulnerability?

If it is so, this was a misunderstanding on my side, as I assumed that rule violations found by OSS review toolkit would be imported.