Duplicate components #233
-
When creating an SBOM for a large enough package, there are inevitably cases where a single dependency is included more than once. I guess that makes sense as long as you're not using the When using that option, however, I wouldn't expect those duplicates to appear. They each only differ in their Edit: Sorry, I was a little pressed for time when I hit send. Let me give an example. Assume the following dependency tree:
Expected outputAll output shortened for clarity. Without {
"components": [
{
"purl": "pkg:npm/packageA@1.0.0",
"bom-ref": "packageA@1.0.0",
"components": [
{
"purl": "pkg:npm/packageC@1.0.0",
"bom-ref": "packageA@1.0.0|packageC@1.0.0"
}
]
},
{
"purl": "pkg:npm/packageB@1.0.0",
"bom-ref": "packageB@1.0.0",
"components": [
{
"purl": "pkg:npm/packageC@1.0.0",
"bom-ref": "packageB@1.0.0|packageC@1.0.0"
}
]
}
]
} With {
"components": [
{
"purl": "pkg:npm/packageA@1.0.0",
"bom-ref": "packageA@1.0.0"
},
{
"purl": "pkg:npm/packageB@1.0.0",
"bom-ref": "packageB@1.0.0"
},
{
"purl": "pkg:npm/packageC@1.0.0",
"bom-ref": "packageC@1.0.0"
}
]
} Actual outputWithout Matches expected output 👍 With {
"components": [
{
"purl": "pkg:npm/packageA@1.0.0",
"bom-ref": "packageA@1.0.0"
},
{
"purl": "pkg:npm/packageB@1.0.0",
"bom-ref": "packageB@1.0.0"
},
{
"purl": "pkg:npm/packageC@1.0.0",
"bom-ref": "packageA@1.0.0|packageC@1.0.0"
}
{
"purl": "pkg:npm/packageC@1.0.0",
"bom-ref": "packageB@1.0.0|packageC@1.0.0"
}
]
} |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 7 replies
-
yes, this is intentional. in your example the PS: see also the docs : https://github.com/CycloneDX/cyclonedx-node-npm/blob/main/docs/result.md |
Beta Was this translation helpful? Give feedback.
-
@mmarseu @rkg-mm @stevespringett i understand your need for such a feature, therefore https://github.com/CycloneDX/cyclonedx-node-npm/milestone/2 was created |
Beta Was this translation helpful? Give feedback.
yes, this is intentional.
if one component appears multiple times in the SBOM, then because NPM actually installed it multiple times, or because it was a bundledDependency of any package.
To make this visible, this component appears multiple times in the SBOM result.
This is just how NPM works, and therefore it is rendered accordingly.
in your example the
packageB@1.0.0|packageC@1.0.0
is not the same aspackageA@1.0.0|packageC@1.0.0
. it might be equal, but this is still not guaranteed.PS:
have a look at an example SBOM: https://github.com/CycloneDX/cyclonedx-node-npm/blob/main/demo/juice-shop/example-results/bom.1.4.xml
you will find
strip-ansi@3.0.1
installed on top level, and multiple …