Bug: CycloneDX 1.6 SBOM being generated without dependency details

[DennisClark]

Using the scan-single-package pipeline I recently scanned scancode.io-34.9.5.tar.gz in SCIO v34.9.5. The scan identified 52 dependencies. When I generate an SPDX 2.3 SBOM from this project the dependency relationships are included in the generated document. When I generate a CycloneDX 1.6 SBOM from this same project the dependency relationships are not included in the generated document.

Attachments: the scan results, the SPDX SBOM, the CycloneDX SBOM

scancodeio_scio-v34.9.5.json.zip

scancodeio_scio-v34.9.5_results-2025-02-24-21-44-28.spdx.json.zip

scancodeio_scio-v34.9.5_results-2025-02-24-21-44-34.cdx.json.zip

[tdruez]

@DennisClark After reviewing the scan results, the 52 dependencies identified are unresolved.
Currently, only resolved dependencies are included in the CycloneDX output.

The Dependency model is based on two foreign keys (FK) linking to related Packages:

• for_package: The package that declares this dependency.
• resolved_to_package: The resolved package for this dependency.
  If empty, it indicates the dependency is unresolved.

In the scan_single_package pipeline, minimal Dependency records were created with the following details:

• A PURL derived from the "Extracted requirements" value.
• A populated for_package field.

However, the resolved_to_package field remains empty, which is why these Dependency records are marked as "unresolved."

I'll provide a PR addressing this by including all Dependency records in the CycloneDX output.