CycloneDX metadata's target component is "." instead of the component name

[bardenstein]

What happened:
Instead of naming the component and version, the generator puts the local file path (e.g. instead of being my-app, it’s a '.' , or could even be users/myname/code/my-app.

What you expected to happen:
The generator should automatically and accurately fill out the name of the component and version of the code being described, not just by the (relative) path.

How to reproduce it (as minimally and precisely as possible):
Run the Syft generator on a repo to generate a CDX SBOM

Anything else we need to know?:
Here's the CDX spec: https://cyclonedx.org/docs/1.4/json/#metadata_component

Environment:

• Output of syft version:
• OS (e.g: cat /etc/os-release or similar):

[kzantow]

Hi @bardenstein -- do you happen to have a specific repo to use to reproduce this issue?

[bardenstein]

https://github.com/alexthemark/example-unmet-peer-dep

Generates:
"metadata": {
"timestamp": "2022-10-03T12:27:41-04:00",
"tools": [
{
"vendor": "anchore",
"name": "syft",
"version": "0.58.0"
}
],
"component": {
"bom-ref": "af63bd4c8601b7f1",
"type": "file",
"name": "."
}
},

where I would expect it to name the component example-amplify-app@1.0.0 per the package.json

[kzantow]

Thank you @bardenstein -- we'll add this to the backlog, agree it seems like something to fix 👍

[bardenstein]

Thanks @kzantow. We're all for building SBOMs that are complete and to spec! :)

[ArgTang]

@kzantow could a cmd flag to manually overwrite the name be added? if the project is structured so the auto resolver is not correct, it would be nice to manually set it

note: name is "." with spdx as well.

[bardenstein]

Manual overwrite wouldn't work for some of our solutions, where we have Github Actions that reference/add Syft to specific repos. We'd want something automatic.

[ArgTang]

@bardenstein i agree that auto discovery will be best. but i dont see how a --name <appname> would not work in a CI job if for some reason autoresolve dont work for a specific project?

[kzantow]

Unfortunately, I don't think just having a name (or even a name and version) would be sufficient, there's a lot more information we need to generate a viable SBOM and especially to then scan it with Grype.

[tgerla]

We now have the --source-name and --source-version options that should allow you to hint to Syft the actual name and version for the target component for these situations. We'll close this issue but please re-open or open another one if this doesn't work out for you.

[wagoodman]

I've opened up #2084 to more generically capture what I think the ask is here.