kzantow
commented
2 years ago Thanks @kairabiensda , this sounds like something we should be able to get done at some point in the not too distant future. A good idea!
Open kairabiensda opened 2 years ago
kzantow
commented
2 years ago Thanks @kairabiensda , this sounds like something we should be able to get done at some point in the not too distant future. A good idea!
kairabiensda
commented
1 year ago a workaround for this is now here: https://github.com/anchore/syft/pull/1345
This is based on research with @wurstbrot. It might be an issue with syft, or the CycloneDX library.
By taking a look at the output of the javascript cataloger, it doesn't use group (specified in . It places the group in front of the name. I am using the following components/flow: cyclonedx/cyclonedx-npm (uses group) -> image -> syft (doesn't support group) with https://github.com/CycloneDX/cyclonedx-go (does support groups) -> new-bom.json (without group attribute/prefix in name)
Is there a reason that syft doesn't use the specified group in a package? The cycloneDX specification uses a group https://cyclonedx.org/docs/1.4/json/#components_items_group?
A workaround might be to do make the bom.json it like the javascript cataloger uses it and add the group in front of the name and remove the group attribute.
Originally posted by @wurstbrot in https://github.com/anchore/syft/issues/1029#issuecomment-1241818307