Sbom missing primary component

[TraceyOnim]

when feeding bom.xml into other SBOM tools, they complain the file fails cyclonedx checks. This is because its missing the primary component(component in the metadata) i.e

<metadata>
        <timestamp>2022-02-28T07:23:43.664Z</timestamp>
        <tools>
            <tool>
                <vendor>CycloneDX</vendor>
                <name>Node.js module</name>
                <version>3.4.1</version>
            </tool>
        </tools>
        <component type="library">
            <name>NO-NAME-PACKAGE</name>
            <version/>
            <description>
                <![CDATA[ ]]>
            </description>
            <licenses>
                <license>
                    <id>MIT</id>
                </license>
            </licenses>
        </component>
    </metadata>

The example above is a generated bom file with a primary component

[TraceyOnim]

@voltone please let me know if this makes sense, or if there is a reason behind the primary component not being included in the metadata and can it be doable

[voltone]

Hmm, according to the spec this element is optional:

  <xs:element name="component" type="bom:component" minOccurs="0">
    <xs:annotation>
      <xs:documentation>The component that the BOM describes.</xs:documentation>
    </xs:annotation>
  </xs:element>

It might make sense to add it, but I don't think other tools should fail to process a file that doesn't include it. Does the other tool support CycloneDX 1.1? That might work around the issue for now...

[sigu]

What is this The component that the BOM describes , is it the application or library that we are running the bom from?

[joshprice]

@joestein pointed out that this currently prevents GUAC from ingesting Elxiir SBoMs. See this issue for more info https://github.com/guacsec/guac/issues/1162