Skip to content

feat(sbom): Add support for CycloneDX 1.7 specification #10185

New issue
New issue
Open
Feature
Open
feat(sbom): Add support for CycloneDX 1.7 specification#10185
Feature
Labels
kind/featureCategorizes issue or PR as related to a new feature.scan/sbomIssues relating to SBOM
@DmitriyLewen

Description

@DmitriyLewen
DmitriyLewen
opened on Feb 11, 2026

Description:

Trivy currently fails to decode CycloneDX 1.7 SBOMs with the error invalid specification version.

$ trivy sbom merged.cdx.json
FATAL	Fatal error	run error: sbom scan error: scan error: scan failed: failed analysis: SBOM decode error: failed to decode: CycloneDX decode error: CycloneDX decode error: invalid specification version

Root Cause

The upstream library https://github.com/CycloneDX/cyclonedx-go does not yet support version 1.7.
Upstream tracking issue: CycloneDX/cyclonedx-go#247

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/featureCategorizes issue or PR as related to a new feature.scan/sbomIssues relating to SBOM

    Type

    Feature

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions