quarkus-cyclonedx: dependency graph is missing

[turing85]

Describe the bug

When we generate a cyclondex SBOM through the quarkus-cyclonedx plugin and upload it to dependency-track, the components are present, but the dependency graph is missing.

Expected behavior

The dependency graph is present.

Actual behavior

The dependency graph shows only the root, no sub-elments

How to Reproduce?

Reproducer:

1. Checkout https://github.com/turing85/quarkus-jackson-json-patch, branch feature/cyclonedx:

$ git clone --branch feature/cyclonedx https://github.com/turing85/quarkus-jackson-json-patch.git \
  && cd quarkus-jackson-json-patch

2. Build the application to generate the SBOM:

$ ./mvnw clean package

3. Upload file target/quarkus-run-cyclonedx.json to a dependency-track project
4. Observe that the components are present, but the graph is empty:
   

Output of uname -a or ver

Linux xxx 6.8.0-51-generic #52-Ubuntu SMP PREEMPT_DYNAMIC Thu Dec  5 13:09:44 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Output of java -version

openjdk version "21.0.3" 2024-04-16 LTS
OpenJDK Runtime Environment Temurin-21.0.3+9 (build 21.0.3+9-LTS)
OpenJDK 64-Bit Server VM Temurin-21.0.3+9 (build 21.0.3+9-LTS, mixed mode, sharing)

Quarkus version or git rev

3.17.5

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937)
Maven home: /home/marco/.m2/wrapper/dists/apache-maven-3.9.9/3477a4f1
Java version: 21.0.3, vendor: Eclipse Adoptium, runtime: /opt/java/mandrel/23.1.3.1-java21
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "6.8.0-51-generic", arch: "amd64", family: "unix"

Additional information

No response

[turing85]

/cc @aloubyansky

[turing85]

FTR: relevant quarkusio.zulipchat.com