Skip to content

cyclonedx: do not include root file (e.g., conan.lock) as component (… #4309

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

cyclonedx: do not include root file (e.g., conan.lock) as component (… #4309

wants to merge 1 commit into from
+13 −0

Conversation

@kdt523
Copy link
Contributor

@kdt523 kdt523 commented Oct 25, 2025

Ensure CycloneDX SBOM consistency across OSes by skipping root input file as a component

Description

Ensure CycloneDX SBOMs generated from a single file source (e.g., conan.lock) are consistent across OSes by not listing the root input file itself as a component.

Problem

On Linux, the CycloneDX SBOM could include the input lockfile (e.g., conan.lock) in the components list, while on Windows it wouldn’t.
The input document shouldn’t be treated as a “component.”

Fix

When the source under analysis is a single file (source.FileMetadata), skip emitting that exact file as a ComponentTypeFile in the CycloneDX components array.

Scope

Only affects CycloneDX component emission — package discovery and relationships remain unchanged.

Key Change

  • File: to_format_model.go
  • Change: During file-component enumeration, detect the source file path and skip adding a component for that path.

Behavioral Summary

Platform Before After
Linux Components could include conan.lock Components do not include the root input file
Windows Components typically did not include conan.lock Components do not include the root input file

Fixes

#4242

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (please discuss with the team first; Syft is 1.0 software and we won't accept breaking changes without going to 2.0)
  • Documentation (updates the documentation)
  • Chore (improve the developer experience, fix a test flake, etc, without changing visible behavior of Syft)
  • Performance (make Syft run faster or use less memory, without changing visible behavior much)

Checklist

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@kdt523
cyclonedx: do not include root file (e.g., conan.lock) as component (a…
09ad8b0 
…nchore#4242)\n\n- Skip adding the input source file itself to CycloneDX components list\n- Ensures Linux and Windows produce consistent SBOMs without conan.lock as a component

Signed-off-by: kdt523 <[email protected]>
@kdt523 kdt523 force-pushed the fix/cyclonedx-skip-root-file-component-4242 branch from 2fa3c7b to 09ad8b0 Compare October 26, 2025 10:16
@kzantow
Copy link
Contributor

kzantow commented Oct 27, 2025

Hey @kdt523 -- I haven't yet reviewed this, but I wanted to note that there is a fix for Windows that will probably make this behavior consistent, where both will include the file, at least fixing the inconcistency.

@kzantow
Copy link
Contributor

kzantow commented Nov 12, 2025

Hey @kdt523 are you able to retest with the latest Syft? I believe the issue where Windows was not including the root file component should be resolved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kdt523 @kzantow