What happened:

Tried to produce a SBOM of the core20 revision 2379 Base snap using syft. The SBOM didn't include the package names and versions which are listed in the manifest files (e.g. dpkg.yaml / dpkg.list).

What you expected to happen:

The SBOM included all the package names and versions present/used to create the snap (listed in the dpkg.yaml/.list). This is also the case for the other types of Snaps (kernel, system, gadget and snapd).

Steps to reproduce the issue:

1. snap download core20 --revision 2379
2. syft scan core20_2379.snap -o spdx-json=core20_2379.snap.syft.spdx.json
3. unsquashfs -d core20_2379 core20_2379.snap usr/share/snappy/dpkg.yaml
4. Compare the package "name" and "versionInfo" fields in the SBOM to the dpkg.yaml

Anything else we need to know?:

The type of Snap can be determined from the meta/snap.yaml "type:" field. The Snap type determines where to get the manifest / package info used to build the Snap.

1. base: /usr/share/snappy/dpkg.yaml, dpkg.list
2. kernel: version in /doc/linux-modules-*/changelog.Debian.gz ; and extract initrd/main/usr/share/doc/dpkg.yaml from the initrd.img
3. system and gadget: snap/manifest.yaml: "primed-stage-packages:"
4. snapd: snap/snapcraft.yaml

Environment:

• Output of syft version: syft 1.31.0
• OS (e.g: cat /etc/os-release or similar): Ubuntu 22.04