scancode.io icon indicating copy to clipboard operation
scancode.io copied to clipboard
verified publisher icon aboutcode-org

CycloneDX SBOMs do not contain dependencies

Open tsteenbe opened this issue 3 months ago • 2 comments

As part of the ScanCode <=> ORT integration (see https://github.com/aboutcode-org/scancode.io/issues/1727) I tested analyzing Mime Types 2.1.26 as various inputs to ScanCode.io. v35.3.0 and to my surprise noticed that dependencies detected included in SPDX SBOM but not in CycloneDX SBOM. Is this expected behavior for some of ScanCode.io built-in pipelines?

Test nr Input Pipeline # Packages # Deps # Resources # Deps in CycloneDX SBOMs # Deps SPDX SBOMs
1 pkg:npm/[email protected] scan_codebase 1 9 8 0 9
2 pkg:npm/[email protected] scan_single_package 1 9 6 0 9
3 pkg:npm/[email protected] inspect_packages 1 9 8 0 9
4 pkg:npm/[email protected] resolve_dependencies 2 27 8 0 27
5 pkg:github/jshttp/[email protected] scan_codebase 1 9 15 0 9
6 pkg:github/jshttp/[email protected] scan_single_package 1 9 12 0 9
7 pkg:github/jshttp/[email protected] inspect_packages 1 9 15 0 9
8 pkg:github/jshttp/[email protected] resolve_dependencies 0 0 15 0 27

Attached scancode-io-tests.zip contains all the ScanCode.io project files and SBOMs from my tests.

tsteenbe avatar Sep 22 '25 07:09 tsteenbe