scout sbom: components link its own file as subcomponent #171
Description
When creating an SBOM file with the docker scout sbom --format cyclonedx ... command, I noticed that a component links its own file (.dll) as a subcomponent.
Example of a component:
{
"bom-ref": "package-pkg-nuget-System.Collections-8.0.1124.51707",
"type": "application",
"supplier": {
"name": "Microsoft Corporation"
},
"name": "System.Collections",
"version": "8.0.1124.51707",
"purl": "pkg:nuget/System.Collections@8.0.1124.51707",
"components": [
{
"bom-ref": "File---usr-share-dotnet-shared-Microsoft.NETCore.App-8.0.11-System.Collections.dll",
"type": "file",
"name": "/usr/share/dotnet/shared/Microsoft.NETCore.App/8.0.11/System.Collections.dll"
}
]
}
In the end there exists two components, one is the file without further information such as version number and the other is the actual component with all the necessary information.
In my Opinion the file shouldn't be a component itself or a subcomponent (see Cylonedx-Doc https://cyclonedx.org/docs/1.6/json/#components_items_components)
If you have any questions, I'm happy to help.