Hey,

I'm not sure if this is intentional or an oversight, but while using DependencyGraph.GetSBOM() function from the Github client:

I noticed that the returned SBOMInfo struct is missing important fields like relationship section completely and part of package information such as externalRefs. These are critical for understanding dependency relationships and for identifying known vulnerabilities using identifiers like PURL, CPE, or SWID.

Here’s how I’m calling it:

dependencyGraph, _, err := client.DependencyGraph.GetSBOM(ctx.Context, owner, repo)

Here’s the SBOM I get from this function: https://gist.github.com/viveksahu26/de932a7a4dcc00c6337cec1f7c287b1a

However, when I fetch the SBOM directly using GitHub’s REST API as documented here: https://docs.github.com/en/rest/dependency-graph/sboms?apiVersion=2022-11-28#export-a-software-bill-of-materials-sbom-for-a-repository

I receive a complete SBOM with all the expected details, including relationships and externalRefs:
https://gist.github.com/viveksahu26/b9b53b236fcf9a248e8e4b27ad41f98f

It seems like go-github might be missing logic to fully parse or include these fields from the API response. Could this be looked into?

type SBOMInfo struct {
	SPDXID       *string       `json:"SPDXID,omitempty"`
	SPDXVersion  *string       `json:"spdxVersion,omitempty"`
	CreationInfo *CreationInfo `json:"creationInfo,omitempty"`

	// Repo name
	Name              *string  `json:"name,omitempty"`
	DataLicense       *string  `json:"dataLicense,omitempty"`
	DocumentDescribes []string `json:"documentDescribes,omitempty"`
	DocumentNamespace *string  `json:"documentNamespace,omitempty"`

	// List of packages dependencies
	Packages []*RepoDependencies `json:"packages,omitempty"`
}