From 50685e81180bd158905aa4ee0b321fa942985be8 Mon Sep 17 00:00:00 2001
From: Matt Rutkowski <mrutkows@us.ibm.com>
Date: Thu, 7 Nov 2024 09:09:56 -0600
Subject: [PATCH] Fix vuln. source name dereference if source nil

Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
---
 README.md          | 2 +-
 schema/bom_hash.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 17e5d588..56412530 100644
--- a/README.md
+++ b/README.md
@@ -1669,7 +1669,7 @@ In this example, the `--from` filter will return the entire JSON components arra
 ]
 ```
 
-**Note**: The command for this example only used the `--from` flag and did not need to supply `--select '*'` as this us the default.
+**Note**: The command for this example only used the `--from` flag and did not need to supply `--select '*'` as this is the default.
 
 ##### Example: Filter result entries with a specified value
 
diff --git a/schema/bom_hash.go b/schema/bom_hash.go
index 3edfa09f..d95c882d 100644
--- a/schema/bom_hash.go
+++ b/schema/bom_hash.go
@@ -421,7 +421,7 @@ func (bom *BOM) HashmapVulnerability(cdxVulnerability CDXVulnerability, whereFil
 			// defer to same source as the top-level vuln. declares
 			fSeverity := fmt.Sprintf("%s: %v (%s)", rating.Method, rating.Score, rating.Severity)
 			// give listing priority to ratings that matches top-level vuln. reporting source
-			if rating.Source.Name == cdxVulnerability.Source.Name {
+			if rating.Source != nil && rating.Source.Name == cdxVulnerability.Source.Name {
 				// prepend to slice
 				vulnInfo.CvssSeverity = append([]string{fSeverity}, vulnInfo.CvssSeverity...)
 				continue