Why is component.evidence.occurrences.location not populated in CycloneDX SBOMs?

[3nol]

Question

Talking about the CycloneDX format of SBOMs in the output here. I saw that Trivy supports and conforms to the CycloneDX spec v1.5, which introduced detailed evidence as optional field.

Furthermore, Trivy currently exposes the file path of a component via component.properties in the aquasecurity:trivy:FilePath property. So, I was wondering whether there is a reason that this spec-specific field is not populated but the "vendor-specific" one is - or whether this is simply a missing feature in Trivy.

Greatly appreciate any answers, as I could not find any information on this, yet. Thanks!

Target

SBOM

Scanner

Vulnerability

Output Format

CycloneDX

Mode

Standalone

Operating System

No response

Version

Version: 0.52.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-11-19 06:25:13.689698917 +0000 UTC
  NextUpdate: 2025-11-20 06:25:13.689698627 +0000 UTC
  DownloadedAt: 2025-11-19 09:42:30.039501414 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-11-19 00:57:32.232277951 +0000 UTC
  NextUpdate: 2025-11-22 00:57:32.23227766 +0000 UTC
  DownloadedAt: 2025-11-19 09:44:20.289135902 +0000 UTC

[DmitriyLewen]

Hello @3nol
Thanks for the information about this field being added.

I created #9832.

Regards, Dmitriy