Syft generates different CycloneDX SBOMs from conan.lock depending on operating system #4242
Description
What happened:
Different CycloneDX SBOMs are generated from the same conan.lock file depending on the used operating system windows/linux.
- Windows generated SBOM does not contain "conan.lock" component in the component list
- Linux generated SBOM contains "conan.lock" component in component list.
What you expected to happen:
Both, Linux and Windows generated SBOMs should not contain "conan.lock" component in component list
Steps to reproduce the issue:
- Use conan.lock file (rename it to conan.lock first)
- Run the command on windows and on linux:
syft conan.lock --output --cyclonedx-xml=sbom.xml - Results:
- Linux: linux-sbom.xml
- Windows: windows-sbom.xml
Anything else we need to know?:
Environment:
-
Output of
syft version:- Windows:
- Application: syft
- Version: 1.33.0
- BuildDate: 2025-09-15T20:38:16Z
- GitCommit: b87b919
- GitDescription: v1.33.0
- Platform: windows/amd64
- GoVersion: go1.24.7
- Compiler: gc
- SchemaVersion: 16.0.39
- Linux:
- Application: syft
- Version: 1.33.0
- BuildDate: 2025-09-15T20:38:16Z
- GitCommit: b87b919
- GitDescription: v1.33.0
- Platform: linux/amd64
- GoVersion: go1.24.7
- Compiler: gc
- SchemaVersion: 16.0.39
- Windows:
-
OS (e.g:
cat /etc/os-releaseor similar):- windows/amd64
- linux/amd64