Bomber is not finding packages in a SBOM file that has been converted using the CycloneDX Convert function

The problem I am having is that bomber does NOT find any packages in a SBOM that has been converted by the cyclonedx-node covert process.  The SBOM is generated from a javascript application.

To recreate for testing:
Create a CycloneDX SBOM in JSON format:
``` cyclonedx-node --output bomber-test.json ```

If we scan that SBOM with Bomber, it works:
![Screenshot 2023-08-03 at 2 12 31 pm](https://github.com/devops-kung-fu/bomber/assets/7798480/c46dfdb1-d5e8-4dba-bef6-c871950330c2)

Now convert that CycloneDX SBOM to SPDX using the cyclonedx convert function:
``` cat ./bomber-test.json | cyclonedx convert --input-format json --output-format spdxjson > ./converted-to-spdx.json ```

Now that you have a freshly converted SPDX format SBOM, run Bomber against it:
``` bomber scan ./converted-to-spdx.json ```

Unfortunately, Bomber doesn't find any packages even thought there are many components listed in the converted SBOM:
![Screenshot 2023-08-02 at 3 49 11 pm](https://github.com/devops-kung-fu/bomber/assets/7798480/0ec9ad46-4af2-436f-990a-9e3f3f6efdb5)

I'm attaching all files here so you can inspect them.
[bomber-files.zip](https://github.com/devops-kung-fu/bomber/files/12236510/bomber-files.zip)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Bomber is not finding packages in a SBOM file that has been converted using the CycloneDX Convert function #171

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Bomber is not finding packages in a SBOM file that has been converted using the CycloneDX Convert function #171

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions