the encoders for CycloneDX should consider spitting the name into name and group based on the package ecosystem
the decoders for CycloneDS should consider combining the group back into the name based on the package ecosystem
This would at least help with a few of the grype issues, though, there is more work in grype needed to consider if group should be removed or added when searching for vulnerabilities (which is different than specific SBOM considerations).
We have a few issues around the
group
field in CycloneDX:Ultimately what should happen is that:
This would at least help with a few of the grype issues, though, there is more work in grype needed to consider if group should be removed or added when searching for vulnerabilities (which is different than specific SBOM considerations).