You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is based on research with @wurstbrot. It might be an issue with syft, or the CycloneDX library.
By taking a look at the output of the javascript cataloger, it doesn't use group (specified in . It places the group in front of the name.
I am using the following components/flow:
cyclonedx/cyclonedx-npm (uses group) -> image -> syft (doesn't support group) with https://github.com/CycloneDX/cyclonedx-go (does support groups) -> new-bom.json (without group attribute/prefix in name)
A workaround might be to do make the bom.json it like the javascript cataloger uses it and add the group in front of the name and remove the group attribute.
This is based on research with @wurstbrot. It might be an issue with syft, or the CycloneDX library.
By taking a look at the output of the javascript cataloger, it doesn't use group (specified in . It places the group in front of the name.
I am using the following components/flow:
cyclonedx/cyclonedx-npm (uses group) -> image -> syft (doesn't support group) with https://github.com/CycloneDX/cyclonedx-go (does support groups) -> new-bom.json (without group attribute/prefix in name)
Is there a reason that syft doesn't use the specified group in a package? The cycloneDX specification uses
a group https://cyclonedx.org/docs/1.4/json/#components_items_group?
A workaround might be to do make the bom.json it like the javascript cataloger uses it and add the group in front of the name and remove the group attribute.
Originally posted by @wurstbrot in #1029 (comment)
The text was updated successfully, but these errors were encountered: