scout sbom: components link its own file as subcomponent

[NicolaSeitz]

When creating an SBOM file with the docker scout sbom --format cyclonedx ... command, I noticed that a component links its own file (.dll) as a subcomponent. Example of a component:

{
  "bom-ref": "package-pkg-nuget-System.Collections-8.0.1124.51707",
  "type": "application",
  "supplier": {
    "name": "Microsoft Corporation"
  },
  "name": "System.Collections",
  "version": "8.0.1124.51707",
  "purl": "pkg:nuget/[email protected]",
  "components": [
    {
      "bom-ref": "File---usr-share-dotnet-shared-Microsoft.NETCore.App-8.0.11-System.Collections.dll",
      "type": "file",
      "name": "/usr/share/dotnet/shared/Microsoft.NETCore.App/8.0.11/System.Collections.dll"
    }
  ]
}

In the end there exists two components, one is the file without further information such as version number and the other is the actual component with all the necessary information. In my Opinion the file shouldn't be a component itself or a subcomponent (see Cylonedx-Doc https://cyclonedx.org/docs/1.6/json/#components_items_components)

If you have any questions, I'm happy to help.

[NicolaSeitz]

Are there any Updates about this?