Assuming I use another tool thant Syft for more accurate SBOM generation during the build of my application (less hidden dependancies, and deeper scaning of licences and libs), if the SBOM (JSON Spdx for example) is present in the docker image or the filesystem, is it possible for Syft to parse it and merge it in the final report ?
Hello, @gillg!
Yes! There is an sbom-cataloger, but this is disabled by default. You can enable it using syft --select-catalogers +sbom-cataloger. This will also continue to run all the other catalogers, there are some other options to adjust which catalogers run.