'capycli bom merge' removes important information

[sachinshaji]

Hello All,
I have tried using 'capycli bom merge' command and finds that it removes some information from the resultant file.

I have tried to merge an empty json file and a json file generated by 'trivy' in 'CycloneDX' format.

Command I used --> capycli bom merge empty.json trivy.json

When I compare the results, some informations are lost.

under the 'dependencies' section 'dependsOn' information is coming as empty in the resultant file.

Sharing a screenshot for reference.

Also sharing the empty.json and trivy.json files which I use to run bom merge command
trivy.json
empty.json

[tngraf]

I agree that it does not work.

bom merge empty.json empty.json => OK
bom merge trivy.json trivy.json => OK
bom merge trivy.json empty.json => OK
bom merge empty.json trivy.json => messed up

But bom merge just loads an SBOM, copies components and then saves the SBOM. CaPyCLI does not modify the dependencies - all this is done by the underlying cyclonedx-python-lib.

We are using version 3.1.5, the next version is 4.0.0, the latest version is 7.6.0 ... and they did a lot of changes.