You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'd expect both components to have licenses in the output. But what happens is that component "one" has the expected license, but component "two" does not have a license at all.
Interestingly enough, if I use --output=json, it looks like both components have licenses....
What happened:
Given a very minimal CycloneDX SBOM as input:
Note that in the input, component "two" has extra parenthesis around the SPDX expression (which are allowed by the SPDX spec, as far as I can tell).
Running syft SBOM cataloger and outputting to CycloneDX:
syft scan file:./test.cdx.json --output=cyclonedx-json --select-catalogers " sbom-cataloger"
What you expected to happen:
I'd expect both components to have licenses in the output. But what happens is that component "one" has the expected license, but component "two" does not have a license at all.
Interestingly enough, if I use
--output=json
, it looks like both components have licenses....Environment:
syft version
:cat /etc/os-release
or similar): MacOS 14.7.1The text was updated successfully, but these errors were encountered: