cyclonedx-cli
cyclonedx-cli copied to clipboard
CycloneDX
call new flatMerge method
Works great for me, cut a top-level project SBOM from 36K apparent components to 1K :)
Still, for some items I still see dupes; in my case these are components that originated from Maven POM dependency trees and have different scope values (e.g. missing in one dep-tree branch and required in another, I suppose - maybe I misunderstood this progeny, after all the "scope" in question is a CycloneDX concept and not necessarily related to a Maven concept).
The resulting big merged SBOM thus has several entries under components for the specified bom-ref which contradicts the spec which requires these to be unique in the document: https://cyclonedx.org/docs/1.4/json/#metadata_component_bom-ref
Would it be possible to further mash together existing objects with same identifier? In particular, the scope absent and required "SHOULD" per spec be treated as equivalent, so are an easy target: https://cyclonedx.org/docs/1.4/json/#metadata_component_scope
@jimklimov maybe you can post some examples of the nodes that are duplicated.
Sure, for example:
{
"type": "library",
"bom-ref": "pkg:maven/com.vaadin.external.google/[email protected]?type=jar",
"group": "com.vaadin.external.google",
"name": "android-json",
"version": "0.0.20131108.vaadin1",
"description": "\u00A0\u00A0JSON (JavaScript Object Notation) is a lightweight data-interchange format. This is the org.json compatible Android implementation extracted from the Android SDK \u00A0",
"scope": "required",
"hashes": [
{
"alg": "MD5",
"content": "10612241a9cc269501a7a2b8a984b949"
},
{
"alg": "SHA-1",
"content": "fa26d351fe62a6a17f5cda1287c1c6110dec413f"
},
{
"alg": "SHA-256",
"content": "dfb7bae2f404cfe0b72b4d23944698cb716b7665171812a0a4d0f5926c0fac79"
},
{
"alg": "SHA-512",
"content": "c4a06a0a3ce7bdbee702c06944265c050a4c8d2fbd21c248936e2edfdab63acea30f2cf3568d3c21a559940d939985a8b10d30aff972a3e8cbeb392c0b02da3a"
},
{
"alg": "SHA-384",
"content": "60d1044b5439cdf5eb621118cb0581365ab4f023a30998b238b87854236f03d8395d45b0262fb812335ff904cb77f25f"
},
{
"alg": "SHA3-384",
"content": "b80ebdbec2127279ca402ca52e50374d3ca773376258f6aa588b442822ee7362de8cca206db71b79862bde84018cf450"
},
{
"alg": "SHA3-256",
"content": "6285b1ac8ec5fd339c7232affd9c08e6daf91dfa18ef8ae7855f52281d76627e"
},
{
"alg": "SHA3-512",
"content": "de7ed83f73670213b4eeacfd7b3ceb7fec7d88ac877f41aeaacf43351d04b34572f2edc9a8f623af5b3fccab3dac2cc048f5c8803c1d4dcd1ff975cd6005124d"
}
],
"licenses": [
{
"license": {
"id": "Apache-2.0",
"url": "https://www.apache.org/licenses/LICENSE-2.0"
}
}
],
"purl": "pkg:maven/com.vaadin.external.google/[email protected]?type=jar",
"externalReferences": [
{
"url": "http://developer.android.com/sdk",
"type": "website"
},
{
"url": "http://oss.sonatype.org/content/repositories/vaadin-releases/",
"type": "distribution"
},
{
"url": "http://developer.android.com/sdk/",
"type": "vcs"
}
]
},
vs. same without a scope:
{
"type": "library",
"bom-ref": "pkg:maven/com.vaadin.external.google/[email protected]?type=jar",
"group": "com.vaadin.external.google",
"name": "android-json",
"version": "0.0.20131108.vaadin1",
"description": "\u00A0\u00A0JSON (JavaScript Object Notation) is a lightweight data-interchange format. This is the org.json compatible Android implementation extracted from the Android SDK \u00A0",
"hashes": [
{
"alg": "MD5",
"content": "10612241a9cc269501a7a2b8a984b949"
},
{
"alg": "SHA-1",
"content": "fa26d351fe62a6a17f5cda1287c1c6110dec413f"
},
{
"alg": "SHA-256",
"content": "dfb7bae2f404cfe0b72b4d23944698cb716b7665171812a0a4d0f5926c0fac79"
},
{
"alg": "SHA-512",
"content": "c4a06a0a3ce7bdbee702c06944265c050a4c8d2fbd21c248936e2edfdab63acea30f2cf3568d3c21a559940d939985a8b10d30aff972a3e8cbeb392c0b02da3a"
},
{
"alg": "SHA-384",
"content": "60d1044b5439cdf5eb621118cb0581365ab4f023a30998b238b87854236f03d8395d45b0262fb812335ff904cb77f25f"
},
{
"alg": "SHA3-384",
"content": "b80ebdbec2127279ca402ca52e50374d3ca773376258f6aa588b442822ee7362de8cca206db71b79862bde84018cf450"
},
{
"alg": "SHA3-256",
"content": "6285b1ac8ec5fd339c7232affd9c08e6daf91dfa18ef8ae7855f52281d76627e"
},
{
"alg": "SHA3-512",
"content": "de7ed83f73670213b4eeacfd7b3ceb7fec7d88ac877f41aeaacf43351d04b34572f2edc9a8f623af5b3fccab3dac2cc048f5c8803c1d4dcd1ff975cd6005124d"
}
],
"licenses": [
{
"license": {
"id": "Apache-2.0",
"url": "https://www.apache.org/licenses/LICENSE-2.0"
}
}
],
"purl": "pkg:maven/com.vaadin.external.google/[email protected]?type=jar",
"externalReferences": [
{
"url": "http://developer.android.com/sdk",
"type": "website"
},
{
"url": "http://oss.sonatype.org/content/repositories/vaadin-releases/",
"type": "distribution"
},
{
"url": "http://developer.android.com/sdk/",
"type": "vcs"
}
]
},
In original SBOMs (and the merged one without this PR in the tool) there were 113 mentions of the component, now just these two. It will take some time and effort to check if others differ by just scope or something else. Might in fact be faster to fix this one and see if any other duplicates remain, I'll try something of the sort :D