What happened:
export SYFT_FILE_METADATA_SELECTION="all"

syft scan "${REPO_PATH}" -o cyclonedx-json > sbom.json
syft scan "${REPO_PATH}" -o spdx-json > sbom.json

What you expected to happen:

for -o cyclonedx-json I expect that all files of the directory are in the sbom

Steps to reproduce the issue:

syft scan "${REPO_PATH}" -o cyclonedx-json > sbom.json
syft scan "${REPO_PATH}" -o spdx-json > sbom.json

with -o spdx-json the sbom filled up

Anything else we need to know?:

cat sbom.json
{"$schema":"http://cyclonedx.org/schema/bom-1.6.schema.json","bomFormat":"CycloneDX","specVersion":"1.6","serialNumber":"urn:uuid:d9f32702-f7d9-44a4-bd21-7b02f4c2ff67","version":1,"metadata":{"timestamp":"2024-11-11T19:10:42+01:00","tools":{"components":[{"type":"application","author":"anchore","name":"syft","version":"1.16.0"}]},"component":{"bom-ref":"c89118b3fe999aab","type":"file","name":"/***********************************"}}}

Environment:

• Output of syft version: 1.16.0
• OS (e.g: cat /etc/os-release or similar): Linux and macos