Metadata component bom-ref with cyclonedx is not linked to an actual component

[benmss]

When creating a cyclonedx sbom via sbom4python and therefore this library, the metadata -> component -> bom-ref property is set to CDXRef-DOCUMENT and this value is not present in any of the bom-ref properties of the non-metadata components elsewhere in the sbom.

For example with the sbom for the radon module created by sbom4python@0.10.0 and libs4sbom@0.5.1:

"metadata": {
    ...
    "component": {
      "type": "application",
      "bom-ref": "CDXRef-DOCUMENT",
      "name": "Python-radon"
    }
}
    ...
"components": [
{
  "type": "application",
  "bom-ref": "1-radon",
   ...

(This was created with pip 23.3 and Python 3.11)

It seems this issue is the result of a somewhat recent change, as in an sbom created by libs4sbom@0.4.3 the CDXRef-DOCUMENT property value is present in the proper component as well.

However, I would advocate for the metadata bom-ref and the related component to both contain something like 1-radon rather than CDXRef-DOCUMENT.

[anthonyharrison]

@benmss I will have a look. The metadata fields were updated whilst adding some features to libsbom 0.5 to support CycloneDX v1.5. It looks as if these have resulted in the issue..

The generated SBOM is valid according to the CycloneDX SBOM validator

[behnazh-w]

Thanks @anthonyharrison. It is correct that the SBOM is "valid" according to the schema but unfortunately the verifier/consumer tools rely on references in the BOM file as described in this issue to identify dependencies. So, it would be great if this issue gets resolved.