diff --git a/syft/formats/common/cyclonedxhelpers/decoder.go b/syft/formats/common/cyclonedxhelpers/decoder.go
index 1413972ae5f..34a08dc8ee2 100644
--- a/syft/formats/common/cyclonedxhelpers/decoder.go
+++ b/syft/formats/common/cyclonedxhelpers/decoder.go
@@ -25,7 +25,9 @@ func GetValidator(format cyclonedx.BOMFileFormat) sbom.Validator {
 			return err
 		}
 
-		if bom.Components != nil {
+		if bom.Components != nil &&
+			bom.Metadata != nil &&
+			bom.Metadata.Component != nil {
 			components := *bom.Components
 			components = append(components, *bom.Metadata.Component)
 			bom.Components = &components
@@ -48,7 +50,9 @@ func GetDecoder(format cyclonedx.BOMFileFormat) sbom.Decoder {
 		if err != nil {
 			return nil, err
 		}
-		if bom.Components != nil {
+		if bom.Components != nil &&
+			bom.Metadata != nil &&
+			bom.Metadata.Component != nil {
 			components := *bom.Components
 			components = append(components, *bom.Metadata.Component)
 			bom.Components = &components