What happened:
I am not seeing dependencies information on CycloneDX format json files even though they are present in other formats:

SPDX file snippet:

   "relationships": [
        {
            "comment": "evident-by: indicates the package's existence is evident by the given file",
            "relatedSpdxElement": "SPDXRef-File--Install-LMFIN-10010154-001574.jar-39b2fbb066459eaa",
            "relationshipType": "OTHER",
            "spdxElementId": "SPDXRef-Package-java-archive-org.eclipse.osgi-0988631922bb71dc"
        },
        {
            "comment": "evident-by: indicates the package's existence is evident by the given file",
            "relatedSpdxElement": "SPDXRef-File--Install-LMFIN-10010154-001574.jar-39b2fbb066459eaa",
            "relationshipType": "OTHER",
            "spdxElementId": "SPDXRef-Package-java-archive-org.eclipse.equinox.http.servletbridge-1.0.100.v20090520-0fa41529ebc92c19"
        },
        {
            "relatedSpdxElement": "SPDXRef-Package-java-archive-defaultHelp-25eed61145441535",
            "relationshipType": "CONTAINS",
            "spdxElementId": "SPDXRef-DocumentRoot-File-Install-LMFIN-10010154-001574.jar"
        },
        {
            "relatedSpdxElement": "SPDXRef-Package-java-archive-el-4ab927d37eec02be",
            "relationshipType": "CONTAINS",
            "spdxElementId": "SPDXRef-DocumentRoot-File-Install-LMFIN-10010154-001574.jar"
        },

What you expected to happen:
Dependencies should appear in the Cyclonedx format json file similar to SPDX and Syft json files.

Steps to reproduce the issue:
I tried generating SBOM file in CycloneDX format and noticed that no dependencies are included in the sbom file. But then I tried generating an SBOM in Syft json and SPDX json formats and see that relationships / dependencies information are present. I tried converting the SBOM to CycloneDX format and no dependencies information are included in the output.

Anything else we need to know?:
N/A

Environment:

• Output of syft version:
  Application: syft
  Version: 1.2.0
  BuildDate: 2024-04-12T18:31:58Z
  GitCommit: dde5d34
  GitDescription: v1.2.0
  Platform: windows/amd64
  GoVersion: go1.21.9
  Compiler: gc

• OS (e.g: cat /etc/os-release or similar):
  Windows 11 Enterprise

Thanks @haiazuki for the report! We will take a look. This issue is possibly related to: #2353 and #2305

Dev notes: there are some format limitations in CycloneDX that prevent us from representing every relationship that we handle in other formats like SPDX, so there will always be some functionality differences between the various formats. We could probably encode CONTAINS and DEPENDS-ON relationships in CycloneDX, though. The challenge encoding the CONTAINS relationship is that it requires nesting components in CycloneDX which we aren't currently doing--it wouldn't be expressible in the dependency relationships.

@haiazuki, if you are able, can you share a bit more about your use case and needs here? Are you looking for a source code dependency tree or something similar? More details might be helpful for us to look into this. Thanks!

Hi @tgerla ,
I checked the specifications of SPDX compare with CycloneDX so I understand what you are saying. From a CycloneDX perspective, it tracks dependency relationships so DEPENDS-ON seem to be the priority.
In the product I am testing with, I have an installer in a jar package that I used as the target source to generate the sbom. This contains other jar files and also a war file that contains other jar file packages. So I was looking for entries that reflect the relationship of these packages similar to what is in default json and spdx json.

Thank you!