Converting spdx (obtained via docker-scout) to cyclonedx results in empty file

[ghost]

I'm trying to convert an spdx BOM (obtained via docker-scout) into a cyclone dx file. However, the generated cyclonedx is ~empty! Here's how to reproduce:

1. Obtain the spdx file: docker-scout sbom --format json quay.io/mongodb/mongodb-community-server:7.0.0-ubi8 > /tmp/input.json
2. Run the converter: ./cyclonedx-linux-arm64 convert --input-file /tmp/input.json --output-file /tmp/foo.json --output-version v1_5
3. The output looks like this:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "vulnerabilities": []
}

(It should have a whole lot of info in there!)

I'm hoping that I'm just misunderstanding some basic aspect of how to invoke this tool. Any pointers are appreciated!

cc: @Trevor159

[andreas-hilti]

@stevegrossmongodb Does specifying the input format using --input-format spdxjson help? (The autodetection is not as good as you'd hope for.) If not, are you able to attach the input.json to reproduce it slightly easier?

[ghost]

We finally got it working with these arguments:

cat input_obtained_from_docker_scout | \
<cyclonedx_bin> \
  convert \
  --output-version 1_5 \
  --input-format spdxjson \
  --output-format json