fix: read CycloneDX BOM components from metadata (#3092)

Signed-off-by: dervoeti <lukas.voetmand@stackable.tech>
2026-02-12 10:36:45 +01:00 · 2024-08-12 22:37:23 +02:00 · 2024-08-12 22:37:23 +02:00 · 3161e1847e
commit 3161e1847e
parent df1e5b57fe
4 changed files with 74 additions and 4 deletions
--- a/cmd/syft/internal/test/integration/sbom_metadata_component_test.go
+++ b/cmd/syft/internal/test/integration/sbom_metadata_component_test.go
@ -0,0 +1,25 @@
+package integration
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/anchore/syft/syft/pkg"
+	"github.com/anchore/syft/syft/source"
+)
+
+func TestSbomMetadataComponent(t *testing.T) {
+	sbom, _ := catalogFixtureImage(t, "image-sbom-metadata-component", source.SquashedScope, "+sbom-cataloger")
+
+	expectedPkgs := []string{"first-subcomponent", "main-component"}
+	foundPkgs := []string{}
+
+	for sbomPkg := range sbom.Artifacts.Packages.Enumerate(pkg.JavaPkg) {
+		foundPkgs = append(foundPkgs, sbomPkg.Name)
+	}
+
+	// check if both the package in `.metadata.component` and the one in `.components` were found
+	if !reflect.DeepEqual(expectedPkgs, foundPkgs) {
+		t.Errorf("expected packages %v, got %v", expectedPkgs, foundPkgs)
+	}
+}
--- a/cmd/syft/internal/test/integration/test-fixtures/image-sbom-metadata-component/Dockerfile
+++ b/cmd/syft/internal/test/integration/test-fixtures/image-sbom-metadata-component/Dockerfile
@ -0,0 +1,2 @@
+FROM scratch
+COPY test.cdx.json /
--- a/cmd/syft/internal/test/integration/test-fixtures/image-sbom-metadata-component/test.cdx.json
+++ b/cmd/syft/internal/test/integration/test-fixtures/image-sbom-metadata-component/test.cdx.json
@ -0,0 +1,32 @@
+{
+  "bomFormat" : "CycloneDX",
+  "specVersion" : "1.5",
+  "serialNumber" : "urn:uuid:dc807d4b-0415-35ab-ba61-49b5d39bc2d9",
+  "version" : 1,
+  "metadata" : {
+    "component" : {
+      "name" : "main-component",
+      "version" : "1.2.3",
+      "purl" : "pkg:maven/org.example/main-component@1.2.3",
+      "type" : "library",
+      "bom-ref" : "pkg:maven/org.example/main-component@1.2.3"
+    }
+  },
+  "components" : [
+    {
+      "name" : "first-subcomponent",
+      "version" : "2.3.4",
+      "purl" : "pkg:maven/org.example/first-subcomponent@2.3.4",
+      "type" : "library",
+      "bom-ref" : "pkg:maven/org.example/first-subcomponent@2.3.4"
+    }
+  ],
+  "dependencies" : [
+    {
+      "ref" : "pkg:maven/org.example/main-component-assembly@1.2.3",
+      "dependsOn" : [
+        "pkg:maven/org.example/first-subcomponent@2.3.4"
+      ]
+    }
+  ]
+}
--- a/syft/format/internal/cyclonedxutil/helpers/decoder.go
+++ b/syft/format/internal/cyclonedxutil/helpers/decoder.go
@ -39,12 +39,23 @@ func ToSyftModel(bom *cyclonedx.BOM) (*sbom.SBOM, error) {
 }

 func collectBomPackages(bom *cyclonedx.BOM, s *sbom.SBOM, idMap map[string]interface{}) error {
-	if bom.Components == nil {
+	componentsPresent := false
+	if bom.Components != nil {
+		for i := range *bom.Components {
+			collectPackages(&(*bom.Components)[i], s, idMap)
+		}
+		componentsPresent = true
+	}
+
+	if bom.Metadata != nil && bom.Metadata.Component != nil {
+		collectPackages(bom.Metadata.Component, s, idMap)
+		componentsPresent = true
+	}
+
+	if !componentsPresent {
 		return fmt.Errorf("no components are defined in the CycloneDX BOM")
 	}
-	for i := range *bom.Components {
-		collectPackages(&(*bom.Components)[i], s, idMap)
-	}
+
 	return nil
 }