You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
> syft packages alpine:latest -o cyclonedx-json > sbom.json
> cyclonedx-cli validate --input-file sbom.json
Unable to validate against any JSON schemas.
BOM is not valid.
> cyclonedx-cli validate --input-file sbom.json --input-version v1_4
Validating JSON BOM...
Validation failed: Found duplicates at the following index pairs: "(2, 4)"#/properties/dependencies/uniqueItems
BOM is not valid.
What happened:
Syft produces invalid CycloneDX SBOM at least for apkdb-cataloger cataloger.
Due to duplicated refs in
dependencies
CycloneDX JSON Reference #dependencies states:
This rule is enforced by https://github.com/CycloneDX/cyclonedx-cli
What you expected to happen:
Syft produces a valid SBOM.
Steps to reproduce the issue:
Anything else we need to know?:
Should be:
Environment:
syft version
: 0.87.1cat /etc/os-release
or similar): Ubuntu 22.04.3 LTSThe text was updated successfully, but these errors were encountered: