Grype doesn't match u-boot in SBOM if type is set to firmware

[SebastianKonplan]

What happened: If a SBOM is passed with the component u-boot there is no match if the component type is set to firmware. If I change the type to application then the component is matched as expected.

What you expected to happen: Match independent from the type.

How to reproduce it (as minimally and precisely as [possible): grype sbom:u-boot.json

Environment:

• Output of grype version:
  Application: grype
  Version: 0.89.1
  BuildDate: 2025-03-13T20:22:27Z
  GitCommit: 718ea30
  GitDescription: v0.89.1
  Platform: linux/amd64
  GoVersion: go1.24.1
  Compiler: gc
  Syft Version: v1.20.0
  Supported DB Schema: 6

• OS (e.g: cat /etc/os-release or similar): Ubuntu 22.04.5 LTS

[SebastianKonplan]

u-boot.json

[kzantow]

Hey @SebastianKonplan, you are right, we currently are not importing firmware component types, e.g.

    {
      "bom-ref": "BomRef.7796056807905384.7566279929523666",
       ...
      "type": "firmware",
    }

You can see the decoding function here. We could probably make this more lenient to include firmware, I've added this to our weekly livestream to discuss.

[kzantow]

It looks like we should just need to add firmware, this is ready for anyone to work on; see the link above for the section of code that needs a change and please add a test if someone is able to get to this before us.