Syft version is [not provided] in most formats

[ribbybibby]

Most formats do not record the version of Syft used. The version is reported as [not provided].

For instance, with cyclonedx-json:

$ docker sbom --version
sbom-cli-plugin 0.6.0, build 741c56e0db8c65d853f18e0a9b23287d33b30e05

$ docker sbom alpine:latest --format cyclonedx-json | jq -r .metadata.tools
[
  {
    "vendor": "anchore",
    "name": "syft",
    "version": "[not provided]"
  }
]

Looking at the upstream code, I think this is down to the fact that some/most formats don't respect the Descriptor.Version field in the SBOM and just use version.FromBuild().Version which won't be populated when using syft as a library.

Here's a table comparing all the formats. A 🟢 indicates that it reports the expected version; a 🔴 indicates a missing version.	Format	Pass/Fail	Notes
syft-json	🟢
cyclonedx-xml	🔴
cyclonedx-json	🔴
github-0-json	🔴	Reports 0.0.0-dev
spdx-tag-value	🔴
spdx-json	🔴
table	🟢	N/A
text	🟢	N/A

[jonasagx]

@ribbybibby thank you for reporting this problem and researching possible root causes. As you mentioned this is a Syft issue, so I will continue this thread on https://github.com/anchore/syft/issues/1010.