No enrichment for nested components in CycloneDX

[StefanFl]

CycloneDX SBOMs can have components embedded in a component, see https://cyclonedx.org/docs/1.5/json/#components_items_components. I have generated a SBOM with cyclonedx-npm and got this:

        {
            "type": "library",
            "bom-ref": "match-sorter@6.3.4",
            "supplier": {
                "name": "Kent C. Dodds",
                "url": [
                    "https://kentcdodds.com"
                ]
            },
            "author": "Kent C. Dodds",
            "name": "match-sorter",
            "version": "6.3.4",
            "description": "Simple, expected, and deterministic best-match sorting of an array in JavaScript",
            "licenses": [
                {
                    "expression": "MIT"
                }
            ],
            "purl": "pkg:npm/match-sorter@6.3.4",
            "components": [
                {
                    "type": "library",
                    "bom-ref": "match-sorter@6.3.4|remove-accents@0.5.0",
                    "name": "remove-accents",
                    "version": "0.5.0",
                    "purl": "pkg:npm/remove-accents@0.5.0"
                }
            ]
        },

This example contains information gathered by Parlay for the match-sorter, but nothing was found for the included remove-accents.

Would it possible for Parlay to traverse through the components?

[mcombuechen]

Hey @StefanFl thanks for bringing this up, it is definitely something we'd like parlay to be able to support. I'll keep this issue open to track progress on this.

[mcombuechen]

This likely also applies to the Snyk enricher. In addition, the root component (.metadata.component) is not being taken into account. Technically that's yet another issue but we could solve this here as well.

@StefanFl just letting you know that a fix is on the way.

[StefanFl]

Thank you very much for fixing it so quickly, works perfectly.