Also, where is the docs for syft’s own format?
Thanks for the question @West_Farmer!
Currently we’re looking to enhance the npm cataloger to include dev dependencies in the final SBOM for a directory scan.
Take for example the npm cli: https://github.com/npm/cli
If we scan this with Syft we don’t see packages like @npmcli/eslint-config or mock-globals.
Here is a link to the current code that parses this:
As far as documentation for syft’s own format here isa link to the current schema.
We’re working on getting more formal documentation generated around the schema, but until then I would recommend dumping the above raw data into a visualizer like https://json-schema-viewer.vercel.app