-
-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged SBOMs contain duplicates #326
Comments
I would also be interested in this behaviour and possible workarounds... |
CycloneDX-cli version 0.25.0 should now contain the latest cyclonedx-dotnet-library (specifically version 6.0.0). Thus, the behavior w.r.t. duplicates should be improved. |
Is it solved? I'm still having duplicates with merge command... |
I am running into an issue where the result of 2 merged SBOMs create a invalid result. Here are the repro steps: I have two input files "sbom1-metadata-component.xml" and "sbom2-anything.xml" from which I have removed as much information from as possible. Both of these files are still being reported as valid and the resulting error message is the same as the full SBOMs. sbom1-metadata-component.xml
Note here the component within the metadata region. The NotRelevant component needs to be there so the result contains anything at all but the content of NotRelevant is not relevant. sbom1-metadata-component.xml
I just used an empty SBOM to execute the merge command with, which still caused the issue. My normal SBOM is much bigger. Using the docker image to merge these two files creates a result that will not pass the "validate" command.
The result contains two component references. One within the metadata region and one within the components region containing the same bom-ref. Error message: "Validation failed at line number 14 and position 7: There is a duplicate key sequence '[email protected]' for the 'http://cyclonedx.org/schema/bom/1.5:bom-ref' key or unique identity constraint." Is this behavior relevant to this issue here? This invalid SBOM prevents me from doing further analysis. merged-sbom.xml
I have attached all files to this comment, but their content is the same as described above. Thank you for providing us with such a powerful open source tool and helping your users. |
I think it is similar to this issue: cyclonedx-cli/src/cyclonedx/Commands/MergeCommand.cs Lines 92 to 97 in 03b8019
that if the metadata is not provided, the first non-null is used. Then the same component appears in the metadata and inside components. |
As a workaround, you can for now specify the name using the "--name" option (or similar metadata). |
Hello, and thanks for the awesome CLI -- it's helping me merge up a bunch of SBOMs. However, I noticed that my SBOMs have duplicate components in them.
I think this would be fixed by the latest version of the dotnet library -- specifically, due to CycloneDX/cyclonedx-dotnet-library#216.
Is there a plan to upgrade this library and make a new release?
Thanks!
The text was updated successfully, but these errors were encountered: