License object sometimes has "id" sometimes "name" when SBOM is created with version 0.65.0

[moyscode]

Description

License object sometimes has "id" sometimes "name" when SBOM is created with version 0.65.0.
This is leading to SBOM upload error when uploading the BOM to dependency track

Pic below shows the License object differences for the same item.

Desired Behavior

License object to have same type "id"/"name"

Actual Behavior

License object sometimes has "id" sometimes "name"

Reproduction Steps

Create SBOM for the item library "pkg:deb/ubuntu/[email protected]?arch=amd64&distro=ubuntu-24.04" & differences can be found.

Target

Container Image

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Debug Output

NA

Operating System

linux

Version

0.65.0

Checklist

• Run trivy clean --all
• Read the troubleshooting

[nikpivkin]

Hi @moyscode !

The mixing of id and name fields is discussed here #9313

[moyscode]

@nikpivkin I tried to revert back to 0.64.1 till it is fixed but it looks like that version is not available directly from ap-get install.
is downloading the .deb Package and unpacking is the way to go?

[DmitriyLewen]

You can install Trivy from release page - https://github.com/aquasecurity/trivy/releases/tag/v0.64.1

[moyscode]

The error message from Dependency track is as below. So It definitely looks like mixing of "name" & "id" withing the same "licences object is the issue.

{ "status": 400, "title": "The uploaded BOM is invalid", "detail": "Schema validation failed", "errors": [ "$.components[18].licenses: must be valid to one and only one schema, but 0 are valid",

[DmitriyLewen]

Related Issue #9376