Syft generates duplicate "components" and "dependencies" lists in CycloneDX JSON file

[dms00]

What happened:
Syft generates a CycloneDX-JSON SBOM with two "components" and two "dependencies" sections and each one appears to contain the same list of components and dependencies. This is causing Grype (and also how the issue was discovered) to throw an error that the JSON is invalid.

This occurs when explicitly specifying the scan scheme to be "registry:..." (and maybe others), but does not occur when scanning "dir:..." for example. It occurs when using a ".syft.yaml" config file with the "output" key set to "cyclonedx-json". If I also specify "-o cyclonedx-json" on the command line, the problem disappears.

What you expected to happen:
Syft should generate a CycloneDX JSON that contains one top-level "components" section and one top-level "dependencies" section.

Steps to reproduce the issue:
Preconditions. You'll need to have a registry setup with a suitable image to test on. I'm testing with the standard Debian image: docker.io/library/debian stable 678d881964f7 4 weeks ago 124 MB in my Ubuntu environment.

1. Create the syft config file:
   syft config > ~/.syft.yaml
2. Modify the syft config file to change the "output:" key to be "cyclonedx-json". diff patch of this change:

--- .syft.yaml.orig     2025-10-30 15:20:36.842628077 +0100
+++ .syft.yaml  2025-10-30 15:29:23.476844318 +0100
@@ -24,7 +24,7 @@
#   - "syft-json=<syft-json-output-file>"
#   - "spdx-json=<spdx-json-output-file>" (env: SYFT_OUTPUT)
output:
-  - 'syft-table'
+  - 'cyclonedx-json'

# file to write the default report output to (default is STDOUT) (env: SYFT_LEGACYFILE)
legacyFile: ''

3. Execute syft as follows:
   syft scan registry:docker.io/library/debian:stable | jq . > debian-sbom.json
   The jq is there to make it readable, but isn't a required part of the execution.

4. Examine the resulting SBOM file. If the error has occurred you will find the file has duplicate "components" and "dependencies" objects. Also, if you attempt to feed this file into grype, you'll get the following error:
   [0000] ERROR failed to catalog: unable to decode sbom: unable to decode cyclonedx json document: invalid character '{' after top-level value

Anything else we need to know?:

The issue does not occur if I add the -o "cyclonedx-json" option to the syft command line. Also, the issue does not occur for some scan schemes, such as "file" and "dir", but I haven't tried to determine the complete set of schemes affected.

Environment:

• Output of syft version:

Application:   syft
Version:       1.34.2
BuildDate:     2025-10-16T12:19:31Z
GitCommit:     0c98a364d503789ff8d7f122763bb8748de9772f
GitDescription: v1.34.2
Platform:      linux/amd64
GoVersion:     go1.24.7
Compiler:      gc
SchemaVersion: 16.0.40

• OS (e.g: cat /etc/os-release or similar):

PRETTY_NAME="Ubuntu 24.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.3 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo

Running in WSL2 on Windows11

[kzantow]

I tried using the exact commands provided, but am unable to reproduce this with 1.36.0 on macOS here. Is this exclusive to WSL2 on Windows 11? Could you retry with the latest version, please and confirm it still occurs? Also, this seems like there may be an issue with WSL pipes -- please try outputting the file directly, e.g. syft scan registry:docker.io/library/debian:stable --file debian.sbom.json

[dms00]

Yes, it still occurs on 1.36.0 as I described, but it does not occur if I use the --file option.

When I use the --file option, I get the message "Flag --file has been deprecated, use: --output FORMAT=PATH", which indicates to me that the --file option is likely tickling the same code path that as the -o option.

It definitely could be a WSL2 issue.

[kzantow]

I think the issue may be that you have multiple configuration files, each specifying different output: options, none of which specifying an output file, so Syft is just generating both to stdout. If you run syft config locations it should show you all the locations to look for files (it only shows .yaml, but syft supports many extensions like .json or .toml, so look for all these). We should definitely not output multiple formats combined like this, but for now I suspect you would be able to find and remove one of the configurations to fix this.

[dms00]

None of the locations listed by syft config locations have any sort of syft files, json, yaml or otherwise, except for the one file I outlined in my steps, ~/.syft.yaml. And even if it were the case, how would that explain why it only produces a duplicate of the "components" and "dependencies" objects, but not duplicates of all the other items stored in the top-level of the JSON output? And why would it only happen with the "registry" scheme and not with the "dir" scheme?

[dms00]

Quick update. I couldn't rule out that something was just wrong with my WSL distribution, so I setup a new Ubuntu-22.04 WSL distro, installed podman, syft 1.36.0, pulled the debian image, created the syft config, updated, and I get the same result. Duplicate "components" and "dependencies".

[dms00]

Okay, first off, I was mistaken about something. You don't need to modify the .syft.yaml config file for this issue to occur. Even if you leave it as it is produced with output set to syft-table the issue occurs. I never use that output format, so I wasn't paying attention, but it produces the table twice in the output (including the column header).
Also, I've confirmed this is not a WSL only issue. I just reproduced the issue on a freshly created Ubuntu-24.04 VM running in our lab using the default syft-table output.

[dms00]

By running the command with -vv I've been able to understand what's happening here. I only have one config file, /home/dms00/.syft.yaml, but syft is attempting to load config files as .syft.yaml (local directory) followed by /home/$USER/.syft.yaml, etc. When I ran registry scans I was running in my home directory, so it's loading the same .syft.yaml file twice, as if I have two configs. First, .syft.yaml in local dir, then /home/$USER/.syft.yaml. Here's what the first part of the debug output looks like:

$ syft scan registry:docker.io/library/debian:stable -vv > deb-sbom3.txt
[0000]  INFO syft version: 1.36.0
[0000] DEBUG config:
  log:
      quiet: false
      level: debug
      file: ""
  dev:
      profile: none
  config: .syft.yaml,/home/dms00/.syft.yaml
  output:
      - syft-table
      - syft-table
  format:
      ...

[kzantow]

So you're running Syft from your home directory where the config exists and it's picking that one up twice. Seems like a few things to clean up here. Thanks for getting to the bottom of it!

It seems like there are a couple simple solutions, one would be to simply move the config file to ~/.config/syft/config.yaml, presuming you aren't running from the same directory, or specify the output format on the CLI.

Sorry for the trouble, but thanks again for helping to figure it out!

Dev note: need to add validation for multiple outputs to stdout, rather than outputting invalid contents.