syft icon indicating copy to clipboard operation
syft copied to clipboard
verified publisher icon anchore

cyclonedx: do not include root file (e.g., conan.lock) as component (…

Open kdt523 opened this issue 2 months ago • 2 comments

Ensure CycloneDX SBOM consistency across OSes by skipping root input file as a component

Description

Ensure CycloneDX SBOMs generated from a single file source (e.g., conan.lock) are consistent across OSes by not listing the root input file itself as a component.

Problem

On Linux, the CycloneDX SBOM could include the input lockfile (e.g., conan.lock) in the components list, while on Windows it wouldn’t.
The input document shouldn’t be treated as a “component.”

Fix

When the source under analysis is a single file (source.FileMetadata), skip emitting that exact file as a ComponentTypeFile in the CycloneDX components array.

Scope

Only affects CycloneDX component emission — package discovery and relationships remain unchanged.

Key Change

  • File: to_format_model.go
  • Change: During file-component enumeration, detect the source file path and skip adding a component for that path.

Behavioral Summary

Platform Before After
Linux Components could include conan.lock Components do not include the root input file
Windows Components typically did not include conan.lock Components do not include the root input file

Fixes

#4242

Type of Change

  • [x] Bug fix (non-breaking change which fixes an issue)
  • [ ] New feature (non-breaking change which adds functionality)
  • [ ] Breaking change (please discuss with the team first; Syft is 1.0 software and we won't accept breaking changes without going to 2.0)
  • [ ] Documentation (updates the documentation)
  • [ ] Chore (improve the developer experience, fix a test flake, etc, without changing visible behavior of Syft)
  • [ ] Performance (make Syft run faster or use less memory, without changing visible behavior much)

Checklist

  • [ ] I have added unit tests that cover changed behavior
  • [x] I have tested my code in common scenarios and confirmed there are no regressions
  • [x] I have added comments to my code, particularly in hard-to-understand sections

kdt523 avatar Oct 25 '25 17:10 kdt523

Hey @kdt523 -- I haven't yet reviewed this, but I wanted to note that there is a fix for Windows that will probably make this behavior consistent, where both will include the file, at least fixing the inconcistency.

kzantow avatar Oct 27 '25 15:10 kzantow

Hey @kdt523 are you able to retest with the latest Syft? I believe the issue where Windows was not including the root file component should be resolved

kzantow avatar Nov 12 '25 15:11 kzantow