Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(sbom): deduplicate sbom dependencies #7992

Merged
merged 1 commit into from
Dec 20, 2024
Merged

Conversation

bdehamer
Copy link
Contributor

Certain project dependency trees may result in an SBOM with duplicate entries. This fix ensures that each unique dependency (identified by the combination of package name and version) only appears in the SBOM once. Applies to both SPDX and CycloneDX SBOM formats.

Specific to the CycloneDX format, this change also removes the cdx:npm:package:path property from the component entries in the generated SBOM. Since the same package may be present at multiple paths within the project and we're now de-duplicating those packages, it no longer makes sense to include this in the SBOM. This does not impact the SPDX format as there is no equivalent property.

Fixes: #6967

@bdehamer bdehamer requested a review from a team as a code owner December 18, 2024 23:07
@bdehamer bdehamer marked this pull request as draft December 18, 2024 23:17
@bdehamer bdehamer force-pushed the bdehamer/issue-6967 branch from 2869bea to fef6c57 Compare December 18, 2024 23:19
Certain project dependency trees may result in an SBOM with duplicate
entries. This fix ensures that each unique dependency (identified by
the combination of package name and version) only appears in the SBOM
once. Applies to both SPDX and CycloneDX SBOM formats.

Signed-off-by: Brian DeHamer <bdehamer@github.com>
@bdehamer bdehamer force-pushed the bdehamer/issue-6967 branch from fef6c57 to 54caf08 Compare December 19, 2024 19:01
@bdehamer bdehamer changed the title fix(sbom) deduplicate sbom dependencies fix(sbom): deduplicate sbom dependencies Dec 19, 2024
@bdehamer bdehamer marked this pull request as ready for review December 19, 2024 19:06
@wraithgar wraithgar merged commit ab9ddc0 into latest Dec 20, 2024
19 of 20 checks passed
@wraithgar wraithgar deleted the bdehamer/issue-6967 branch December 20, 2024 16:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[BUG] SBOM generation for CycloneDX generates duplicate dependencies
2 participants