No dependency graph relationships reported in CycloneDX output

[fproulx-boostsecurity]

What happened: I am scanning against a Python repo using Poetry (poetry.lock). Using cyclonedx-json output (also tried other output including json) and I do not get the dependency graph.

What you expected to happen: I want the CycloneDX dependencies section to be filled

How to reproduce it (as minimally and precisely as possible): syft packages dir:. -o cyclonedx-json

Anything else we need to know?:

Environment:

• Output of syft version: 0.56
• OS (e.g: cat /etc/os-release or similar): macos

[fproulx-boostsecurity]

Hmmm I see that it's not implemented https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/python/parse_poetry_lock.go#L18-L31 :(

[kzantow]

Indeed, this could be a nice enhancement -- PRs are welcome! :)