Java maven project, too many errors and warnings.

[WestFarmer]

version:

Application: syft
Version:    1.12.2
BuildDate:  2024-09-11T14:12:10Z
GitCommit:  fcd5ec951de6b3fc1f1aa2a36968356d2eb22170
GitDescription: v1.12.2
Platform:   linux/amd64
GoVersion:  go1.22.6
Compiler:   gc

used command:

syft scan dir:. -o cyclonedx=target/sbom-cyclonedx.cdx -vv

results: sbom generated, but with many errors and warns, and no dependencies in output, hence no relationships at all...

such as:

DEBUG error adding dependency dependencyID=(groupId: org.springframework.boot artifactId: spring-boot-devtools version: ) error=invalid maven pom specification, require non-empty values for groupID: 'org.springframework.boot', artifactID: 'spring-boot-devtools', version: '' mavenID=(groupId: com.wxt.itps.services artifactId: public version: 0.0.1-SNAPSHOT) pomLocation=Location<id=707 RealPath="/pom.xml">

DEBUG error attempting to resolve pom licenses error=unable to resolve pom org.springframework.boot spring-boot-starter-parent 3.2.4: %!w(<nil>) mavenID=(groupId: com.wxt.itps.services artifactId: public version: 0.0.1-SNAPSHOT)


DEBUG error attempting to find sub-group licenses error=unable to resolve pom com.wxt.itps public 0.0.1-SNAPSHOT: %!w(<nil>) mavenID=(groupId: com.wxt.itps artifactId: public version: 0.0.1-SNAPSHOT)


DEBUG unable to convert relationship type to CycloneDX JSON, dropping: "{From:0xc000347280 To:Pkg(name=\"spring-boot-devtools\" version=\"\" type=\"java-archive\" id=\"033e397b919ab6bc\") Type:contains Data:<nil>}"

tried to scan a npm project, also no dependencies element in output, while see many errors in verbose log:

[0006] DEBUG unable to convert relationship type to CycloneDX JSON, dropping: "{From:Pkg(name=\"zrender\" version=\"5.4.4\" type=\"npm\" id=\"31b5925a6366e164\") To:Location<RealPath=\"/pnpm-lock.yaml\"> Type:evident-by Data:<nil>}"