Error while SBOM's parsing of MetadataComponent when JSON generated by syft

[bedla]

Description

Hi,

I am having spring-boot generated application which has Image build using buildpacks. Buildpack internally use syft to generate SBOM and then output files put into layer's filesystem.

What I found is that those files cannot be parsed by Trivy because of unsupported MetadataComponent type == file.

When I run syft agains Docker Image there is no error, when I run syft against filesystem, then I get error.

Please take a look into PR #9372 for details.

Thx

Ivos

Desired Behavior

no error

Actual Behavior

error thrown - see debug output

Reproduction Steps

1. create spring boot application and build it
2. generate SBOM `syft scan C:\dev\IdeaProjects\sample-spring-boot\target\demo-0.0.1-SNAPSHOT.jar -o cyclonedx-json`
3. and run Trivy scan - see Debug output for command

Note: when I run syft scan docker.io/library/demo:0.0.1-SNAPSHOT -o cyclonedx-json against Docker Image, Trivy does not fail. For difference, see PR test files.

Target

SBOM

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

$ trivy sbom --debug --scanners vuln C:\Users\IvoŠmíd\AppData\Roaming\JetBrains\GoLand2025.2\scratches\scratch_11.json

2025-08-22T14:56:54+02:00	DEBUG	No plugins loaded
2025-08-22T14:56:54+02:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-08-22T14:56:54+02:00	DEBUG	Cache dir	dir="C:\\Users\\IvoŠmíd\\AppData\\Local\\trivy"
2025-08-22T14:56:54+02:00	DEBUG	Cache dir	dir="C:\\Users\\IvoŠmíd\\AppData\\Local\\trivy"
2025-08-22T14:56:54+02:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-08-22T14:56:54+02:00	DEBUG	Ignore statuses	statuses=[]
2025-08-22T14:56:54+02:00	DEBUG	DB update was skipped because the local DB is the latest
2025-08-22T14:56:54+02:00	DEBUG	DB info	schema=2 updated_at=2025-08-22T00:33:18.40601667Z next_update=2025-08-23T00:33:18.4060165Z downloaded_at=2025-08-22T06:55:22.463572Z
2025-08-22T14:56:54+02:00	DEBUG	[pkg] Package types	types=[os library]
2025-08-22T14:56:54+02:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2025-08-22T14:56:54+02:00	INFO	[vuln] Vulnerability scanning is enabled
2025-08-22T14:56:54+02:00	DEBUG	Initializing scan cache...	type="memory"
2025-08-22T14:56:54+02:00	DEBUG	[notification] Running version check
2025-08-22T14:56:54+02:00	INFO	Detected SBOM format	format="cyclonedx-json"
2025-08-22T14:56:54+02:00	DEBUG	Unmarshalling CycloneDX JSON...
2025-08-22T14:56:54+02:00	WARN	Third-party SBOM may lead to inaccurate vulnerability detection
2025-08-22T14:56:54+02:00	WARN	Recommend using Trivy to generate SBOMs
2025-08-22T14:56:54+02:00	FATAL	Fatal error
  - run error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.Run
        C:/dev/git/trivy/pkg/commands/artifact/run.go:412
  - sbom scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.run
        C:/dev/git/trivy/pkg/commands/artifact/run.go:450
  - scan error:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact
        C:/dev/git/trivy/pkg/commands/artifact/run.go:289
  - scan failed:
    github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scan
        C:/dev/git/trivy/pkg/commands/artifact/run.go:679
  - failed analysis:
    github.com/aquasecurity/trivy/pkg/scan.Service.ScanArtifact
        C:/dev/git/trivy/pkg/scan/service.go:166
  - SBOM decode error:
    github.com/aquasecurity/trivy/pkg/fanal/artifact/sbom.Artifact.Inspect
        C:/dev/git/trivy/pkg/fanal/artifact/sbom/sbom.go:59
  - failed to decode:
    github.com/aquasecurity/trivy/pkg/sbom.Decode
        C:/dev/git/trivy/pkg/sbom/sbom.go:227
  - failed to parse sbom:
    github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*BOM).UnmarshalJSON
        C:/dev/git/trivy/pkg/sbom/cyclonedx/unmarshal.go:55
  - failed to parse root component:
    github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*BOM).parseBOM
        C:/dev/git/trivy/pkg/sbom/cyclonedx/unmarshal.go:72
  - failed to parse metadata component:
    github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*BOM).parseMetadataComponent
        C:/dev/git/trivy/pkg/sbom/cyclonedx/unmarshal.go:105
  - failed to unmarshal component type:
    github.com/aquasecurity/trivy/pkg/sbom/cyclonedx.(*BOM).parseComponent
        C:/dev/git/trivy/pkg/sbom/cyclonedx/unmarshal.go:167
  - unsupported type

Process finished with the exit code 1

Operating System

Windows

Version

Latest master from upstream

Version: dev
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-08-22 00:33:18.40601667 +0000 UTC
  NextUpdate: 2025-08-23 00:33:18.4060165 +0000 UTC
  DownloadedAt: 2025-08-22 06:55:22.463572 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-08-21 00:53:56.039121466 +0000 UTC
  NextUpdate: 2025-08-24 00:53:56.039121336 +0000 UTC
  DownloadedAt: 2025-08-21 08:22:05.7995122 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Track #9416