Skip to content

[Bug]: Tags field not removed when encoding to spec version 1.5 #248

New issue
New issue
Closed
Closed
[Bug]: Tags field not removed when encoding to spec version 1.5#248
Labels
bugSomething isn't working
@wiebe-vandendriessche

Description

@wiebe-vandendriessche
wiebe-vandendriessche
opened on Jan 20, 2026

Version: cyclonedx-go v0.9.3
OS: Linux

Description

The tags field is not removed when encoding to spec 1.5, even though tags were introduced in spec 1.6. This is inconsistent with how manufacturer and authors are correctly removed.

Reproducible Steps

  1. Create a BOM with tags:
bom := cdx.NewBOM()
bom.Metadata = &cdx.Metadata{
    Component: &cdx.Component{
        Name: "test",
        Tags: &[]string{"tag1", "tag2"},
        Manufacturer: &cdx.OrganizationalEntity{Name: "Test Corp"},
    },
}
  1. Encode to spec 1.5:
encoder := cdx.NewBOMEncoder(out, cdx.BOMFileFormatJSON)
err := encoder.EncodeVersion(bom, cdx.SpecVersion1_5)
  1. Check output

Expected: No tags field (like manufacturer is removed)
Actual: tags field present in spec 1.5 output

Root Cause

In convert.go, componentConverter() function removes 1.6-only fields but Tags is missing:

if specVersion < SpecVersion1_6 {
    c.SWHID = nil
    c.OmniborID = nil
    c.Manufacturer = nil
    c.Authors = nil
    // c.Tags = nil  // <-- Missing
}

Fix

Add c.Tags = nil to the spec 1.6 conversion block in componentConverter() in convert.go.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions