cyclonedx-cli icon indicating copy to clipboard operation
cyclonedx-cli copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Merging SBOMs doesn’t get rid of duplicates

Open yaourabi opened this issue 1 year ago • 4 comments

I have a Gradle multi-project build, in which i generate an SBOM for java dependencies for each project using the CycloneDX Gradle plugin. I want to merge all the existing SBOMs, however the resulting SBOM doesn’t get rid of duplicated dependencies.

Steps to reproduce

  • Create a build with two sub-projects.

dependencies for the first project

dependencies {
    implementation("org.apache.commons:commons-lang3:3.12.0")
}

dependencies for the second project

dependencies {
    implementation("org.apache.commons:commons-lang3:3.12.0")
    implementation("com.fasterxml.jackson.core:jackson-databind:2.15.3")
}
  • Apply the CycloneDX Gradle plugin for each project
tasks.cyclonedxBom {
    setProjectType("application")
    setSchemaVersion("1.5")
    setDestination(project.file("build/reports"))
    setOutputName("bom2")
    setOutputFormat("json")
    setIncludeBomSerialNumber(false)
    setIncludeLicenseText(true)
    setComponentVersion("2.0.0")
}
  • Generate an SBOM for each project
  • Use the cyclonedx-cli merge command to merge the two SBOMs

CycloneDX cli version: 0.25.0 0.25.0

CycloneDX Gradle plugin version: 1.7.4

Expected behavior

although the commons-lang3 dependency is defined in both projects, I only want it to be declared in the final SBOM once.

Current behavior

the current SBOM declares the commons-lang3 dependency twice.

"dependencies": [
    {
      "ref": "pkg:maven/org.apache.commons/[email protected]?type=jar",
      "dependsOn": []
    },
    {
      "ref": "pkg:maven/org.example/[email protected]?type=jar",
      "dependsOn": [
        "pkg:maven/org.apache.commons/[email protected]?type=jar"
      ]
    },
    {
      "ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]?type=jar",
      "dependsOn": []
    },
    {
      "ref": "pkg:maven/org.apache.commons/[email protected]?type=jar",
      "dependsOn": []
    },
    {
      "ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]?type=jar",
      "dependsOn": [
        "pkg:maven/com.fasterxml.jackson.core/[email protected]?type=jar",
        "pkg:maven/com.fasterxml.jackson.core/[email protected]?type=jar"
      ]
    },
    {
      "ref": "pkg:maven/org.example/[email protected]?type=jar",
      "dependsOn": [
        "pkg:maven/org.apache.commons/[email protected]?type=jar",
        "pkg:maven/com.fasterxml.jackson.core/[email protected]?type=jar"
      ]
    },
    {
      "ref": "pkg:maven/com.fasterxml.jackson.core/[email protected]?type=jar",
      "dependsOn": []
    }
  ]

yaourabi avatar Feb 05 '24 13:02 yaourabi

+1

ertl avatar Apr 19 '24 08:04 ertl

+1. This blows up count of both components and vulnerabilities in dependency-track. Use-case is following:

  1. We create sbom file for each .csproj separately using the cyclonedx dotnet tool.
  2. Then we merge everything in single file using the cyclonedx cli tool.
  3. Import resulting file to dependency-track, see over 10k components with lots of duplicates in project

zabulus avatar May 16 '24 21:05 zabulus

+1 Some --deduplicate option would be very useful 👍

ferben avatar Jun 26 '24 18:06 ferben