From f1e506d2fe2710b729439651f4ca360a59e3c35a Mon Sep 17 00:00:00 2001 From: Roger Luethi Date: Fri, 26 Jun 2026 21:06:01 +0200 Subject: [PATCH] fix: pin CycloneDX spec version to 1.6 syft is installed unpinned (latest) and now defaults to emitting CycloneDX specVersion 1.7. DependencyTrack does not yet support 1.7 and rejects the SBOM upload with: HTTP-400 Bad Request => {"status":400,"title":"The uploaded BOM is invalid","detail":"Unrecognized specVersion 1.7"} Pin the syft output format to cyclonedx-json@1.6, the highest CycloneDX spec version DependencyTrack currently accepts. This makes the SBOM upload independent of syft's evolving default. Same fix as osism/container-image-osism-ansible#757. Assisted-by: Claude:claude-opus-4-8 Signed-off-by: Roger Luethi --- playbooks/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbooks/build.yml b/playbooks/build.yml index 8268c0de3..11b9cc115 100644 --- a/playbooks/build.yml +++ b/playbooks/build.yml @@ -153,7 +153,7 @@ {% endraw %} curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin - /usr/local/bin/syft scan "$repository:$version" -o cyclonedx-json > sbom.json + /usr/local/bin/syft scan "$repository:$version" -o cyclonedx-json@1.6 > sbom.json {{ python_venv_dir }}/bin/dtrackauditor \ -p "osism${image:+-$image}" \ -v "$version" \