CycloneDx SBOM missing components for dependencies #4208
Description
What happened:
When generating a CycloneDx SBOM for a Node.js runtime environment, the SBOM is missing components for found dependencies.
{
"dependencies": [
{
"ref": "pkg:nuget/Microsoft.JavaScript.Hermes@0.1.23?package-id=205e946433a4b2a8",
"dependsOn": [
"pkg:nuget/microsoft.reactnative?package-id=c69beacca8d59ab1"
]
},
{
"ref": "pkg:nuget/Microsoft.JavaScript.Hermes@0.1.23?package-id=bed33e0ec05572b4",
"dependsOn": [
"pkg:nuget/microsoft.reactnative?package-id=98356cdad9c7d50f"
]
},
{
"ref": "pkg:nuget/Microsoft.UI.Xaml@2.8.0?package-id=e87ac46c329bea53",
"dependsOn": [
"pkg:nuget/microsoft.reactnative?package-id=c69beacca8d59ab1"
]
},
{
"ref": "pkg:nuget/Microsoft.Web.WebView2@1.0.1264.42?package-id=46e8c240d3ab386a",
"dependsOn": [
"pkg:nuget/Microsoft.UI.Xaml@2.8.0?package-id=e87ac46c329bea53"
]
},
{
"ref": "pkg:nuget/Microsoft.Windows.SDK.BuildTools@10.0.22621.756?package-id=91ea7a1243be1346",
"dependsOn": [
"pkg:nuget/Microsoft.WindowsAppSDK@1.5.240227000?package-id=19c6158554d3cf14"
]
},
{
"ref": "pkg:nuget/Microsoft.WindowsAppSDK@1.5.240227000?package-id=19c6158554d3cf14",
"dependsOn": [
"pkg:nuget/microsoft.reactnative?package-id=98356cdad9c7d50f"
]
},
{
"ref": "pkg:nuget/boost@1.83.0?package-id=5ed209f6c5f96b57",
"dependsOn": [
"pkg:nuget/common?package-id=26c1efa45aeb6b50",
"pkg:nuget/folly?package-id=e135b54fa1d2b788",
"pkg:nuget/microsoft.reactnative?package-id=98356cdad9c7d50f",
"pkg:nuget/reactcommon?package-id=32aa3702585eac5e"
]
},
{
"ref": "pkg:nuget/boost@1.83.0?package-id=673db237af0ca7c7",
"dependsOn": [
"pkg:nuget/common?package-id=0676f9089dfbf815",
"pkg:nuget/folly?package-id=6e79d6e34c9cea55",
"pkg:nuget/microsoft.reactnative?package-id=c69beacca8d59ab1",
"pkg:nuget/reactcommon?package-id=0e6e25acd9466060"
]
},
{
**"ref": "pkg:nuget/fmt?package-id=79bd16e2078f89d9",**
"dependsOn": [
"pkg:nuget/folly?package-id=6e79d6e34c9cea55"
]
},
{
"ref": "pkg:nuget/fmt?package-id=f67d2603eb0108f6",
"dependsOn": [
"pkg:nuget/folly?package-id=6e79d6e34c9cea55"
]
}
]
}Dependency "pkg:nuget/fmt?package-id=79bd16e2078f89d9" does not have a component defined within the SBOM and leads to a CycloneDX validation error:
One or more Components have Dependency references to Components/Services that are not known in this BOM. They are: {<BomRef 'pkg:nuget/fmt?package-id=79bd16e2078f89d9' id=1712923817328>}
What you expected to happen:
There should be a matching component defined for each dependency in the SBOM
Steps to reproduce the issue:
Below is a simple package.json which will reproduce the issue:
{
"name": "sbom_missing_component",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC",
"dependencies": {
"@react-native-community/slider": "^4.5.6",
"react-native-svg": "^15.11.2"
}
}Once the package.json is created in a directory run npm install
Scan the directory:
syft scan sbom_missing_component --output cyclonedx-json=sbom_missing_component .json
Anything else we need to know?:
CycloneDX validation was performed using cyclonedx-python-lib version: 11.0.0
Environment:
- Output of
node -v: 20.10.0 - Output of
npm -v: 10.2.3 - Output of
syft version: 1.31.0 - OS (e.g:
cat /etc/os-releaseor similar):
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.22.1
PRETTY_NAME="Alpine Linux v3.22"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"