fix: add nil check to CycloneDX toBomProperties (#3119)

Signed-off-by: Lucas Rodriguez <[email protected]>

syft/format/common/cyclonedxhelpers/to_format_model.go

@@ -211,6 +211,12 @@ func toBomProperties(srcMetadata source.Description) *[]cyclonedx.Property {
 	metadata, ok := srcMetadata.Metadata.(source.ImageMetadata)
 	if ok {
 		props := helpers.EncodeProperties(metadata.Labels, "syft:image:labels")
+		// return nil if props is nil to avoid creating a pointer to a nil slice,
+		// which results in a null JSON value that does not comply with the CycloneDX schema.
+		// https://github.com/anchore/grype/issues/1759
+		if props == nil {
+			return nil
+		}
 		return &props
 	}
 	return nil

syft/format/common/cyclonedxhelpers/to_format_model_test.go

@@ -236,6 +236,53 @@ func Test_toBomDescriptor(t *testing.T) {
 	}
 }
 
+func Test_toBomProperties(t *testing.T) {
+	tests := []struct {
+		name        string
+		srcMetadata source.Description
+		props       *[]cyclonedx.Property
+	}{
+		{
+			name: "ImageMetadata without labels",
+			srcMetadata: source.Description{
+				Metadata: source.ImageMetadata{
+					Labels: map[string]string{},
+				},
+			},
+			props: nil,
+		},
+		{
+			name: "ImageMetadata with labels",
+			srcMetadata: source.Description{
+				Metadata: source.ImageMetadata{
+					Labels: map[string]string{
+						"label1": "value1",
+						"label2": "value2",
+					},
+				},
+			},
+			props: &[]cyclonedx.Property{
+				{Name: "syft:image:labels:label1", Value: "value1"},
+				{Name: "syft:image:labels:label2", Value: "value2"},
+			},
+		},
+		{
+			name: "not ImageMetadata",
+			srcMetadata: source.Description{
+				Metadata: source.FileMetadata{},
+			},
+			props: nil,
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+			props := toBomProperties(test.srcMetadata)
+			require.Equal(t, test.props, props)
+		})
+	}
+}
+
 func Test_toOsComponent(t *testing.T) {
 	tests := []struct {
 		name     string