Main Component Version gets lost from CycloneDX when throwing Grype at it

[SimonHeidrich]

What happened:

I have an SBOM in CycloneDX format. It contains the field metadata.component.version. When I call Grype to analyse this SBOM and output the result as CycloneDX, every single field of the original SBOM is included in the resulting document, except for metadata.component.version. (Timestamp and serial number are different, of course)

What you expected to happen:

I would have expected for no field to vanish.

How to reproduce it (as minimally and precisely as possible):

Go to your favourite repo.

Generate an SBOM with a component version:

syft . --output cyclonedx-json=./bom.cdx.json --source-version="0.1.0"

(Use a formatter for nice JSON output to see that the field is present)

Scan for vulnerabilities:

grype sbom:./bom.cdx.json --output cyclonedx-json=./vuln.cdx.json

The field is missing.

Anything else we need to know?:

If this is indeed a bug and not a design choice, I am willing to attempt to take care of it. I will need some pointers though, because I have no clue where to start.

Environment:

• Output of grype version:

Application:         grype
Version:             0.87.0
BuildDate:           2025-01-22T20:51:16Z
GitCommit:           247f5d72abf2131aa37f3164a98495c121b29029
GitDescription:      v0.87.0
Platform:            linux/amd64
GoVersion:           go1.23.4
Compiler:            gc
Syft Version:        v1.19.0
Supported DB Schema: 5

• OS (e.g: cat /etc/os-release or similar):

PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"