[Bug Report] Missing some dependencies on cyclonedx formatted SBOM using syft

[brian-223134]

What happened: missing dependencies on cyclonedx formatted SBOM

When generating a CycloneDX SBOM with Syft from a Python project that uses poetry.lock, the dependency edge for dj-rest-auth -> django is missing.
In my poetry.lock, dj-rest-auth declares the dependency as Django (capitalized), and Syft appears to fail to resolve it to the django component, so the edge is omitted from the SBOM dependency graph.

---

What you expected to happen:

Syft should treat Python distribution names as case-insensitive (and ideally normalize common separators), so Django should resolve to the same package as django.
The generated CycloneDX SBOM should include the dependency edge:

• dj-rest-auth@7.0.1 depends on django@5.2.6

---

Steps to reproduce the issue:

1. Create or use a Python project with a poetry.lock containing something like:

[[package]]
name = "dj-rest-auth"
version = "7.0.1"
description = "Authentication and Registration in Django Rest Framework"
optional = false
python-versions = ">=3.8"
groups = ["main"]
files = [
    {file = "dj-rest-auth-7.0.1.tar.gz", hash = "sha256:3f8c744cbcf05355ff4bcbef0c8a63645da38e29a0fdef3c3332d4aced52fb90"},
]

[package.dependencies]
Django = ">=4.2,<6.0"
djangorestframework = ">=3.13.0"

[package.extras]
with-social = ["django-allauth[socialaccount] (>=64.0.0)"]

2. Run Syft to generate a CycloneDX SBOM from the project directory (example):

syft dir:. -o cyclonedx-json > sbom.json

3. Inspect the dependency graph section in the resulting SBOM (CycloneDX dependencies section).
   
   Confirm dj-rest-auth -> djangorestframework is present.
   Observe dj-rest-auth -> django is missing, even though the lockfile declares Django.

{
      "ref": "pkg:pypi/dj-rest-auth@7.0.1?package-id=e5ae9d3dbec01ba2",
      "dependsOn": [
        "pkg:pypi/django-allauth@65.11.2?package-id=7252146fe0fe7589",
        "pkg:pypi/djangorestframework@3.16.1?package-id=e1fa1261e5a7882a"
      ]
 }

• This example is SBOM that I created on today.

---

Anything else we need to know?:

• This looks like a name normalization issue: the dependency key is Django (capital D) in poetry.lock, while the locked package entry is django (lowercase).
• Python distribution name comparison is effectively case-insensitive, so the dependency should be resolved.
• I can provide the full poetry.lock (if you give me a comment, then I can give it to you right away!)

Environment:

• Output of syft version:
  I cloned the source code(main branch at 2026-01-16 GMT)and build in local so I can give you build revision
  -- build vcs.revision=795432441754b910d4456fa982eb7df64c98b432
  -- build vcs.time=2026-01-16T18:04:13Z
• OS (e.g: cat /etc/os-release or similar): Windows 11 (25H2)

[spiffcs]

@brian-223134 thanks for the report! We just merged #4573 and this should fix what you're looking at. It should come out next release. Thanks again for the report!

[brian-223134]

Thanks!