dejacode icon indicating copy to clipboard operation
dejacode copied to clipboard
verified publisher icon aboutcode-org

BUG: SBOM import fails with "The 'for_package' cannot be the same as 'resolved_to_package'" and duplicates number of dependencies

Open rogu-beta opened this issue 10 months ago • 0 comments

Describe the bug When importing a particular SBOM created with cdxgen, the load_sbom pipeline succeeds according to ScanCode.io, but DejaCode reports issues importing the dependencies. The error message states: The 'for_package' cannot be the same as 'resolved_to_package'

Repeating the SBOM import causes an additional issue. DejaCode duplicates the number of dependencies, apparently not realizing that these are the same dependencies that have been previously added.

Note: This is the same SBOM as https://github.com/aboutcode-org/scancode.io/issues/1576 where ScanCode reported issues with create_dependecies but the overall pipeline is considered a success.

To Reproduce Not clear yet. Cannot share actual data at the moment. I will see if an MWE can be provided. If the error provides indication what I should look out for in the SBOM, I might be able to find it quicker.

Expected behavior The SBOM should be properly loaded and no duplicate dependency entries should be added

Screenshots Image

Context (OS, Browser, Device, etc.): n.a.

rogu-beta avatar Feb 10 '25 10:02 rogu-beta