Alex Goodman

The artifact in ArtifactHub is currently a test image and needs to be replaced with an official image before this issue can be considered done.

This is a great idea --do you happen to know if this information is stored for each package installed? That is, if looking at a site-packages directory with several installations,...

In order to continue with these package de duplication needs to be concluded first (or concurrently) (see https://github.com/anchore/syft/issues/32)

note: package de-dup is done, so this should be unblocked 🥳

There is an extra vote for some of these via https://github.com/anchore/syft/issues/1035

Syft / stereoscope uses [GGCR](https://github.com/google/go-containerregistry) for this functionality, so we wouldn't be able to easily fix this behavior internally yet. Code: - https://github.com/google/go-containerregistry/blob/c90c44474acce673c0719a67e0f45a85f3dff157/pkg/v1/tarball/image.go#L137-L141 - https://github.com/anchore/stereoscope/blob/25ebd49a842b5ac0a20c2e2b4b81335b64ad248c/pkg/image/docker/tarball_provider.go#L36 Related issues: - https://github.com/google/go-containerregistry/issues/1109 -...

@kzantow , good ideas. Especially with the callout that internally we could stick to "strongly typed bins of nodes" while still outputting json with a single bin of all node...

**Regarding the _internal_ representation of an SBOM (not the external JSON representation)**: _(...This entire comment is tangentially related to this issue but can also be implemented with #556 or #554.)_...

I attempted to reproduce this without luck from the portion, can you provide the full `pom.xml`?

Hey @bahrb we do [generate CPEs for packages](https://github.com/anchore/syft/blob/main/syft/pkg/cataloger/cpe.go#L104) for the json format, however as of today the CycloneDX format does not show these generated CPEs. We almost added support for...