Description:
We have a centralized CI pipeline (Azure DevOps) setup that runs across our solutions. As part of the CI process, we perform a Sonatype scan using the NexusIqPipelineTask. The task uses, on the scanTargets property, the path for the SBOM file that is produced earlier during the process.
Problem:
In a specific case, the process diverges:
- The SBOM file is successfully generated and contains the expected dependency information.
- However, the NexusIqPipelineTask step generates an empty report and no components are identified.
Observed Behavior:
- SBOM file exists and appears correct (we can see the expected dependencies).
- NexusIQ report is empty; no components or vulnerabilities are identified.
