CycloneDX format SBOM has wrong metadata.component.bom-ref and bom ref type for source code repo #4595
Description
What happened:
I am trying to filter SBOM generated by Syft to have only direct dependecies references, but in order to to do it we need to know the root dependency which is the candidate source code repo but I see that as reference type as file and and some id - dffd377ff0dc6059 instead of purl like I see in SBOM generated by cdxgen 1-git.832008.xyz/tr/prodsec_ssc_sbom_go_basic@0.0.0.
What you expected to happen:
The metadata.component.bom-ref should be of type application and should have a correct PURL similar to 1-git.832008.xyz/tr/prodsec_ssc_sbom_go_basic@0.0.0 (take from cdxgen generated SBOM) - Bothe the SBOM are attached below. Also there are no dependencies mentioned of root dependency in the dependencies section of the SBOM.
The sbom generated from Syft
{
"$schema" : "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat" : "CycloneDX",
"specVersion" : "1.6",
"serialNumber" : "urn:uuid:c81ce327-0dab-4bd8-8445-7ee0a328cc12",
"version" : 1,
"metadata" : {
"timestamp" : "2026-02-04T07:30:51Z",
"tools" : {
"components" : [ {
"type" : "application",
"author" : "anchore",
"name" : "syft",
"version" : "1.41.2"
} ]
},
"component" : {
"bom-ref" : "dffd377ff0dc6059",
"type" : "file",
"name" : "/app"
}
},
"components" : [ {
"bom-ref" : "pkg:golang/github.com/go-jose/go-jose/v4@v4.0.5?package-id=5070b17f08569400",
"type" : "library",
"name" : "github.com/go-jose/go-jose/v4",
"version" : "v4.0.5",
"licenses" : [ {
"license" : {
"id" : "Apache-2.0"
}
}, {
"license" : {
"id" : "BSD-3-Clause"
}
} ],
"cpe" : "cpe:2.3:a:go-jose:go-jose\\/v4:v4.0.5:*:*:*:*:*:*:*",
"purl" : "pkg:golang/github.com/go-jose/go-jose/v4@v4.0.5",
"properties" : [ {
"name" : "syft:package:foundBy",
"value" : "go-module-file-cataloger"
}, {
"name" : "syft:package:language",
"value" : "go"
}, {
"name" : "syft:package:type",
"value" : "go-module"
}, {
"name" : "syft:package:metadataType",
"value" : "go-source-entry"
}, {
"name" : "syft:cpe23",
"value" : "cpe:2.3:a:go-jose:go_jose\\/v4:v4.0.5:*:*:*:*:*:*:*"
}, {
"name" : "syft:cpe23",
"value" : "cpe:2.3:a:go_jose:go-jose\\/v4:v4.0.5:*:*:*:*:*:*:*"
}, {
"name" : "syft:cpe23",
"value" : "cpe:2.3:a:go_jose:go_jose\\/v4:v4.0.5:*:*:*:*:*:*:*"
}, {
"name" : "syft:cpe23",
"value" : "cpe:2.3:a:go:go-jose\\/v4:v4.0.5:*:*:*:*:*:*:*"
}, {
"name" : "syft:cpe23",
"value" : "cpe:2.3:a:go:go_jose\\/v4:v4.0.5:*:*:*:*:*:*:*"
}, {
"name" : "syft:location:0:path",
"value" : "/go.mod"
}, {
"name" : "syft:metadata:architecture",
"value" : "amd64"
}, {
"name" : "syft:metadata:cgoEnabled",
"value" : "true"
}, {
"name" : "syft:metadata:h1Digest",
"value" : "h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE="
}, {
"name" : "syft:metadata:os",
"value" : "linux"
} ]
}, {
"bom-ref" : "pkg:golang/github.com/go-resty/resty/v2@v2.16.5?package-id=a2d42aa905eb0ab7",
"type" : "library",
"name" : "github.com/go-resty/resty/v2",
"version" : "v2.16.5",
"licenses" : [ {
"license" : {
"id" : "MIT"
}
} ],
"cpe" : "cpe:2.3:a:resty_project:resty:v2.16.5:*:*:*:*:go:*:*",
"purl" : "pkg:golang/github.com/go-resty/resty/v2@v2.16.5",
"properties" : [ {
"name" : "syft:package:foundBy",
"value" : "go-module-file-cataloger"
}, {
"name" : "syft:package:language",
"value" : "go"
}, {
"name" : "syft:package:type",
"value" : "go-module"
}, {
"name" : "syft:package:metadataType",
"value" : "go-source-entry"
}, {
"name" : "syft:location:0:path",
"value" : "/go.mod"
}, {
"name" : "syft:metadata:architecture",
"value" : "amd64"
}, {
"name" : "syft:metadata:cgoEnabled",
"value" : "true"
}, {
"name" : "syft:metadata:h1Digest",
"value" : "h1:hBKqmWrr7uRc3euHVqmh1HTHcKn99Smr7o5spptdhTM="
}, {
"name" : "syft:metadata:os",
"value" : "linux"
} ]
}, {
"bom-ref" : "pkg:golang/github.com/google/go-cmp@v0.7.0?package-id=473d0adb4b419c7e",
"type" : "library",
"name" : "github.com/google/go-cmp",
"version" : "v0.7.0",
"cpe" : "cpe:2.3:a:google:go-cmp:v0.7.0:*:*:*:*:*:*:*",
"purl" : "pkg:golang/github.com/google/go-cmp@v0.7.0",
"properties" : [ {
"name" : "syft:package:foundBy",
"value" : "go-module-file-cataloger"
}, {
"name" : "syft:package:language",
"value" : "go"
}, {
"name" : "syft:package:type",
"value" : "go-module"
}, {
"name" : "syft:package:metadataType",
"value" : "go-module-entry"
}, {
"name" : "syft:cpe23",
"value" : "cpe:2.3:a:google:go_cmp:v0.7.0:*:*:*:*:*:*:*"
}, {
"name" : "syft:location:0:path",
"value" : "/go.mod"
}, {
"name" : "syft:metadata:h1Digest",
"value" : "h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8="
} ]
}, {
"bom-ref" : "pkg:golang/github.com/tr/prodsec_ssc_sbom_go_basic?package-id=c9671a1f48335cc8",
"type" : "library",
"name" : "github.com/tr/prodsec_ssc_sbom_go_basic",
"version" : "UNKNOWN",
"cpe" : "cpe:2.3:a:tr:prodsec-ssc-sbom-go-basic:*:*:*:*:*:*:*:*",
"purl" : "pkg:golang/github.com/tr/prodsec_ssc_sbom_go_basic",
"properties" : [ {
"name" : "syft:package:foundBy",
"value" : "go-module-file-cataloger"
}, {
"name" : "syft:package:language",
"value" : "go"
}, {
"name" : "syft:package:type",
"value" : "go-module"
}, {
"name" : "syft:package:metadataType",
"value" : "go-source-entry"
}, {
"name" : "syft:cpe23",
"value" : "cpe:2.3:a:tr:prodsec_ssc_sbom_go_basic:*:*:*:*:*:*:*:*"
}, {
"name" : "syft:location:0:path",
"value" : "/go.mod"
}, {
"name" : "syft:metadata:architecture",
"value" : "amd64"
}, {
"name" : "syft:metadata:cgoEnabled",
"value" : "true"
}, {
"name" : "syft:metadata:os",
"value" : "linux"
} ]
}, {
"bom-ref" : "pkg:golang/golang.org/x/crypto@v0.33.0?package-id=55c8406773f6827d",
"type" : "library",
"name" : "golang.org/x/crypto",
"version" : "v0.33.0",
"licenses" : [ {
"license" : {
"id" : "BSD-3-Clause"
}
} ],
"cpe" : "cpe:2.3:a:go:ssh:v0.33.0:*:*:*:*:go:*:*",
"purl" : "pkg:golang/golang.org/x/crypto@v0.33.0",
"properties" : [ {
"name" : "syft:package:foundBy",
"value" : "go-module-file-cataloger"
}, {
"name" : "syft:package:language",
"value" : "go"
}, {
"name" : "syft:package:type",
"value" : "go-module"
}, {
"name" : "syft:package:metadataType",
"value" : "go-source-entry"
}, {
"name" : "syft:location:0:path",
"value" : "/go.mod"
}, {
"name" : "syft:metadata:architecture",
"value" : "amd64"
}, {
"name" : "syft:metadata:cgoEnabled",
"value" : "true"
}, {
"name" : "syft:metadata:h1Digest",
"value" : "h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus="
}, {
"name" : "syft:metadata:os",
"value" : "linux"
} ]
}, {
"bom-ref" : "pkg:golang/golang.org/x/net@v0.35.0?package-id=c0fbdaf5103f4661",
"type" : "library",
"name" : "golang.org/x/net",
"version" : "v0.35.0",
"licenses" : [ {
"license" : {
"id" : "BSD-3-Clause"
}
} ],
"cpe" : "cpe:2.3:a:golang:networking:v0.35.0:*:*:*:*:go:*:*",
"purl" : "pkg:golang/golang.org/x/net@v0.35.0",
"properties" : [ {
"name" : "syft:package:foundBy",
"value" : "go-module-file-cataloger"
}, {
"name" : "syft:package:language",
"value" : "go"
}, {
"name" : "syft:package:type",
"value" : "go-module"
}, {
"name" : "syft:package:metadataType",
"value" : "go-source-entry"
}, {
"name" : "syft:location:0:path",
"value" : "/go.mod"
}, {
"name" : "syft:metadata:architecture",
"value" : "amd64"
}, {
"name" : "syft:metadata:cgoEnabled",
"value" : "true"
}, {
"name" : "syft:metadata:h1Digest",
"value" : "h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8="
}, {
"name" : "syft:metadata:os",
"value" : "linux"
} ]
}, {
"bom-ref" : "3fc5a8d3d86e9790",
"type" : "file",
"name" : "/app/go.mod",
"hashes" : [ {
"alg" : "SHA-1",
"content" : "07ede6e3aad3407d9e2ecd7a09fc3e9ef1884856"
}, {
"alg" : "SHA-256",
"content" : "79fbf5bd7b4399adad861cefbd2ac4ea32ca6323c838be83058df9b8cca8e55b"
} ]
} ],
"dependencies" : [ {
"ref" : "pkg:golang/github.com/go-jose/go-jose/v4@v4.0.5?package-id=5070b17f08569400",
"dependsOn" : [ "pkg:golang/golang.org/x/crypto@v0.33.0?package-id=55c8406773f6827d" ]
}, {
"ref" : "pkg:golang/github.com/go-resty/resty/v2@v2.16.5?package-id=a2d42aa905eb0ab7",
"dependsOn" : [ "pkg:golang/golang.org/x/net@v0.35.0?package-id=c0fbdaf5103f4661" ]
} ]
}
The sbom generated from Cdxgen tool
{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:1b4700fa-7838-46ff-af52-4a26d740d43e",
"version": 1,
"metadata": {
"timestamp": "2026-02-04T08:41:31Z",
"tools": {
"components": [
{
"type": "application",
"author": "Snyk",
"name": "snyk-cli",
"version": "1.1302.1"
}
],
"services": [
{
"provider": {
"name": "Snyk"
},
"name": "SBOM Export API",
"version": "v1.124.4"
}
]
},
"component": {
"bom-ref": "1-git.832008.xyz/tr/prodsec_ssc_sbom_go_basic@0.0.0",
"type": "application",
"name": "github.com/tr/prodsec_ssc_sbom_go_basic",
"version": "0.0.0",
"purl": "pkg:golang/github.com/tr/prodsec_ssc_sbom_go_basic@0.0.0"
}
},
"components": [
{
"bom-ref": "2-git.832008.xyz/go-resty/resty/v2@2.16.5",
"type": "library",
"group": "github.com/go-resty/resty",
"name": "github.com/go-resty/resty/v2",
"version": "2.16.5",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:golang/github.com/go-resty/resty/v2@2.16.5"
},
{
"bom-ref": "3-golang.org/x/net/publicsuffix@0.35.0",
"type": "library",
"group": "golang.org/x/net",
"name": "golang.org/x/net/publicsuffix",
"version": "0.35.0",
"licenses": [
{
"expression": "BSD-3-Clause"
}
],
"purl": "pkg:golang/golang.org/x/net/publicsuffix@0.35.0"
},
{
"bom-ref": "4-git.832008.xyz/go-resty/resty/v2/shellescape@2.16.5",
"type": "library",
"group": "github.com/go-resty/resty/v2",
"name": "github.com/go-resty/resty/v2/shellescape",
"version": "2.16.5",
"licenses": [
{
"expression": "MIT"
}
],
"purl": "pkg:golang/github.com/go-resty/resty/v2/shellescape@2.16.5"
},
{
"bom-ref": "5-git.832008.xyz/go-jose/go-jose/v4/jwt@4.0.5",
"type": "library",
"group": "github.com/go-jose/go-jose/v4",
"name": "github.com/go-jose/go-jose/v4/jwt",
"version": "4.0.5",
"purl": "pkg:golang/github.com/go-jose/go-jose/v4/jwt@4.0.5"
},
{
"bom-ref": "6-git.832008.xyz/go-jose/go-jose/v4/json@4.0.5",
"type": "library",
"group": "github.com/go-jose/go-jose/v4",
"name": "github.com/go-jose/go-jose/v4/json",
"version": "4.0.5",
"purl": "pkg:golang/github.com/go-jose/go-jose/v4/json@4.0.5"
},
{
"bom-ref": "7-git.832008.xyz/go-jose/go-jose/v4@4.0.5",
"type": "library",
"group": "github.com/go-jose/go-jose",
"name": "github.com/go-jose/go-jose/v4",
"version": "4.0.5",
"purl": "pkg:golang/github.com/go-jose/go-jose/v4@4.0.5"
},
{
"bom-ref": "8-golang.org/x/crypto/pbkdf2@0.33.0",
"type": "library",
"group": "golang.org/x/crypto",
"name": "golang.org/x/crypto/pbkdf2",
"version": "0.33.0",
"licenses": [
{
"expression": "BSD-3-Clause"
}
],
"purl": "pkg:golang/golang.org/x/crypto/pbkdf2@0.33.0"
},
{
"bom-ref": "9-git.832008.xyz/go-jose/go-jose/v4/json@4.0.5",
"type": "library",
"group": "github.com/go-jose/go-jose/v4",
"name": "github.com/go-jose/go-jose/v4/json",
"version": "4.0.5",
"purl": "pkg:golang/github.com/go-jose/go-jose/v4/json@4.0.5"
},
{
"bom-ref": "10-git.832008.xyz/go-jose/go-jose/v4/cipher@4.0.5",
"type": "library",
"group": "github.com/go-jose/go-jose/v4",
"name": "github.com/go-jose/go-jose/v4/cipher",
"version": "4.0.5",
"purl": "pkg:golang/github.com/go-jose/go-jose/v4/cipher@4.0.5"
}
],
"dependencies": [
{
"ref": "1-git.832008.xyz/tr/prodsec_ssc_sbom_go_basic@0.0.0",
"dependsOn": [
"2-git.832008.xyz/go-resty/resty/v2@2.16.5",
"5-git.832008.xyz/go-jose/go-jose/v4/jwt@4.0.5",
"7-git.832008.xyz/go-jose/go-jose/v4@4.0.5"
]
},
{
"ref": "2-git.832008.xyz/go-resty/resty/v2@2.16.5",
"dependsOn": [
"3-golang.org/x/net/publicsuffix@0.35.0",
"4-git.832008.xyz/go-resty/resty/v2/shellescape@2.16.5"
]
},
{
"ref": "3-golang.org/x/net/publicsuffix@0.35.0"
},
{
"ref": "4-git.832008.xyz/go-resty/resty/v2/shellescape@2.16.5"
},
{
"ref": "5-git.832008.xyz/go-jose/go-jose/v4/jwt@4.0.5",
"dependsOn": [
"6-git.832008.xyz/go-jose/go-jose/v4/json@4.0.5",
"7-git.832008.xyz/go-jose/go-jose/v4@4.0.5"
]
},
{
"ref": "6-git.832008.xyz/go-jose/go-jose/v4/json@4.0.5"
},
{
"ref": "7-git.832008.xyz/go-jose/go-jose/v4@4.0.5",
"dependsOn": [
"8-golang.org/x/crypto/pbkdf2@0.33.0",
"9-git.832008.xyz/go-jose/go-jose/v4/json@4.0.5",
"10-git.832008.xyz/go-jose/go-jose/v4/cipher@4.0.5",
"6-git.832008.xyz/go-jose/go-jose/v4/json@4.0.5"
]
},
{
"ref": "8-golang.org/x/crypto/pbkdf2@0.33.0"
},
{
"ref": "9-git.832008.xyz/go-jose/go-jose/v4/json@4.0.5"
},
{
"ref": "10-git.832008.xyz/go-jose/go-jose/v4/cipher@4.0.5"
}
]
}
Steps to reproduce the issue:
Just generate SBOM for syft + cyclonedx format.
Anything else we need to know?:
Environment:
-
Output of
syft version:
v1.40.0 -
OS (e.g:
cat /etc/os-releaseor similar):
linux/amd64