I've found that running osv-scanner on an SBOM exported via pnpm's new sbom feature (https://pnpm.io/cli/sbom) fails with following output:
Starting filesystem walk for root: /
End status: 0 dirs visited, 1 inodes visited, 1 Extract calls, 867.252µs elapsed, 867.302µs wall time
Error during extraction: (extracting as sbom/cdx) home/user/PS8X-Controller/sbom/raw/web-ui.cdx.json: invalid specification version
extraction failed on specified lockfile
Simply changing "specVersion": "1.7" to "specVersion": "1.6" in the .cdx.json file seems to fix the issue. So perhaps the 1.7 format is already "supported" in a practical sense, it just fails a version check.
I've found that running
osv-scanneron an SBOM exported via pnpm's newsbomfeature (https://pnpm.io/cli/sbom) fails with following output:Simply changing
"specVersion": "1.7"to"specVersion": "1.6"in the.cdx.jsonfile seems to fix the issue. So perhaps the 1.7 format is already "supported" in a practical sense, it just fails a version check.