Mac .app SBOM doesnt contain sub-components #4006
Description
What happened:
On mac, install an app using brew e.g. brew install slack , then run syft on the .app, which is a directory. It finds a bunch of executables, but they are not included in the SBOM.
When I do the same on a directory containing Windows dlls, they are included in the SBOM.
What you expected to happen:
dylibs are found, identified and included in the SBOM, with the version extracted from the dylib.
Steps to reproduce the issue:
% brew install slack
% syft scan -o cyclonedx-xml dir:/opt/homebrew/Caskroom/slack/4.44.65/Slack.app
✔ Indexed file system /Applications/Slack.app
✔ Cataloged contents c277e6771e111c3b7fc6cbc710157569b758ec0065fb7198cfdc218b893af532
├── ✔ Packages [0 packages]
└── ✔ Executables [26 executables]
[0000] WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal)
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.6" serialNumber="urn:uuid:ccfc0891-5659-402e-bb84-15323c9ebe77" version="1"><metadata><timestamp>2025-06-14T08:21:54+08:00</timestamp><tools><components><component type="application"><author>anchore</author><name>syft</name><version>1.27.1</version></component></components></tools><component bom-ref="27a9a9a5333205ac" type="file"><name>/opt/homebrew/Caskroom/slack/4.44.65/Slack.app</name></component></metadata></bom>
In the Frameworks, there are obvious sub-components, and shared libraries that are dependencies of the .app:
Slack.app % cd Contents/Frameworks/
Frameworks % % ls -1
Electron Framework.framework
Mantle.framework
ReactiveObjC.framework
Slack Helper (GPU).app
Slack Helper (Plugin).app
Slack Helper (Renderer).app
Slack Helper.app
Squirrel.framework
% find Electron\ Framework.framework/Versions/Current/Libraries
Electron Framework.framework/Versions/Current/Libraries
Electron Framework.framework/Versions/Current/Libraries/libEGL.dylib
Electron Framework.framework/Versions/Current/Libraries/vk_swiftshader_icd.json
Electron Framework.framework/Versions/Current/Libraries/libvk_swiftshader.dylib
Electron Framework.framework/Versions/Current/Libraries/libGLESv2.dylib
Electron Framework.framework/Versions/Current/Libraries/libffmpeg.dylib
Frameworks % otool -L "Electron Framework.framework/Versions/Current/Libraries/libEGL.dylib"
Electron Framework.framework/Versions/Current/Libraries/libEGL.dylib:
./libEGL.dylib (compatibility version 0.0.0, current version 0.0.0)
/System/Library/Frameworks/Metal.framework/Versions/A/Metal (compatibility version 1.0.0, current version 367.6.0)
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 3208.0.0)
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 3208.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1351.0.0)
Anything else we need to know?:
Environment:
- Output of
syft version:
% syft version
Application: syft
Version: 1.27.1
BuildDate: 2025-06-11T21:00:55Z
GitCommit: Homebrew
GitDescription: [not provided]
Platform: darwin/arm64
GoVersion: go1.24.4
Compiler: gc
SchemaVersion: 16.0.34
- OS (e.g:
cat /etc/os-releaseor similar):
% uname -v
Darwin Kernel Version 24.5.0: Tue Apr 22 19:53:27 PDT 2025; root:xnu-11417.121.6~2/RELEASE_ARM64_T6041