cyclonedx.ComponentTypeOS skipped in package collection #4414
Description
What happened:
As described here, when scanning a CycloneDX SBOM containing a component of "type": "operating-system" it is not considered as a package and therefore skipped in vulnerability scanning.
What you expected to happen:
An OS component should be seen as package and should be scanned similar to a package of "type": "application".
Steps to reproduce the issue:
Scanning following SBOM using Grype should report some vulnerabilities, but INFO found 0 vulnerability matches across 0 packages.
Using "type": "application" works fine, but we have an OS here.
{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
"version": 1,
"metadata": {
"timestamp": "2025-11-10T10:00:00Z",
"component": {
"type": "device",
"bom-ref": "nexo-nutrunner",
"manufacturer": {
"name": "Bosch Rexroth AG"
},
"name": "Rexroth Nexo cordless nutrunner",
"version": "NXA011S-36V",
"cpe": "cpe:2.3:h:bosch:nexo_cordless_nutrunner_nxa011s-36v_(0608842011):-:*:*:*:*:*:*:*"
}
},
"components": [
{
"type": "operating-system",
"bom-ref": "nexo-application",
"name": "NEXO-OS",
"version": "V1500-SP2",
"cpe": "cpe:2.3:o:bosch:nexo-os:v1500-SP2:*:*:*:*:*:*:*"
}
]
}Anything else we need to know?:
Refer to this conversation.
Environment:
- Output of
syft version: 1.19.0 - OS: Windows 11, amd64
Metadata
Metadata
Assignees
Type
Projects
Status