fix: sbomtool merge losing packages and properties #317
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cezar-r
approved these changes
Dec 30, 2025
ginglis13
reviewed
Jan 16, 2026
Contributor
ginglis13
left a comment
ginglis13
left a comment
There was a problem hiding this comment.
in "Testing Done", could you also share some before/after SBOM examples for a variant?
Fix three bugs in the SBOM merge process:
1. Remove DocumentRoot filter that incorrectly dropped primary packages
- The filter was removing packages whose ID contained 'DocumentRoot'
- CycloneDX puts the scan target in metadata.component, not components[]
- When syft decodes this, it creates a package with DocumentRoot in ID
- Now we only filter packages with empty names
2. Preserve Locations and Metadata during package merging
- Locations (file paths) were not being merged, causing all
syft:location:* properties to be lost
- Metadata was not being preserved, causing all syft:metadata:*
and syft:package:* properties to be lost
- Now we merge all Locations from duplicate packages (union)
- Now we preserve Metadata from first package with non-nil metadata
3. Use CycloneDX 1.6 for output encoding
- The default encoder used CycloneDX 1.2 which doesn't support
the properties field on components (added in 1.3)
- Now explicitly use CycloneDX 1.6 encoder to preserve all properties
Signed-off-by: Richard Kelly <[email protected]>
SBOM data was previously missing data from the root node of the dependency graph when merged. Fixed merge to include this node as well Signed-off-by: Richard Kelly <[email protected]>
ginglis13
approved these changes
Jan 16, 2026
cezar-r
approved these changes
Jan 16, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix three bugs in the SBOM merge process:
Remove DocumentRoot filter that incorrectly dropped primary packages
Preserve Locations and Metadata during package merging
Use CycloneDX 1.6 for output encoding
Issue number: #316
Description of changes:
Changed SBOM tool to preserve more information during a merge. Changes now keep the document root package, as well as ensure that CycloneDX encoding is 1.6 for more metadata.
Testing done:
Generated SBOMs for Bottlerocket core and kernel kits. See here for full before and partial after (full after seems to give gist problems)
Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.