Syft is dropping the "group" field from imported CycloneDX #1202
Labels
Comments
Merged
|
Thanks @kairabiensda , this sounds like something we should be able to get done at some point in the not too distant future. A good idea! |
|
a workaround for this is now here: #1345 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is based on research with @wurstbrot. It might be an issue with syft, or the CycloneDX library.
By taking a look at the output of the javascript cataloger, it doesn't use group (specified in . It places the group in front of the name.
I am using the following components/flow:
cyclonedx/cyclonedx-npm (uses group) -> image -> syft (doesn't support group) with https://github.com/CycloneDX/cyclonedx-go (does support groups) -> new-bom.json (without group attribute/prefix in name)
Is there a reason that syft doesn't use the specified group in a package? The cycloneDX specification uses
a group https://cyclonedx.org/docs/1.4/json/#components_items_group?
A workaround might be to do make the bom.json it like the javascript cataloger uses it and add the group in front of the name and remove the group attribute.
Originally posted by @wurstbrot in #1029 (comment)
The text was updated successfully, but these errors were encountered: