sbomasm icon indicating copy to clipboard operation
sbomasm copied to clipboard
verified publisher icon interlynk-io

Duplicate packages after merge

Open vargenau opened this issue 1 year ago • 2 comments

example6-src.spdx.txt example6-lib.spdx.txt merge.spdx.json

sbomasm assemble -n merge -v 1 -t "application" -o merge.spdx.json example6-*.spdx

Both example6-src.spdx and example6-lib.spdx contain identical packages, go.reflect and go.strconv.

In the merge, these packages are present twice.

I would expect no duplicates.

In real-world examples, I have many duplicates.

vargenau avatar Sep 03 '24 16:09 vargenau

Thanks for raising this issue. Will get back to you :+1:

viveksahu26 avatar Sep 03 '24 16:09 viveksahu26

@vargenau yes as mentioned in our readme, we do not remove duplicates, but if that is a requirement we will need to add a mode to each merge algo to remove duplicate components.

A potential Algo to identify duplicates would be

  1. PURL match
  2. CPE match
  3. Name-Version match
  4. Checksum match We would execute these checks in a sequence, whichever matches indicates its a duplicate and eleminate it.

Thanks for a feature request will work on this.

riteshnoronha avatar Sep 03 '24 16:09 riteshnoronha

Any progress on implementing this?

vargenau avatar Nov 21 '24 14:11 vargenau

@vargenau we implemented this for CycloneDX, will move over the logic for SPDX by next release.

riteshnoronha avatar Nov 21 '24 15:11 riteshnoronha

Very good, thank you!

vargenau avatar Nov 21 '24 15:11 vargenau

@vargenau v0.2.0 has been released please give it a shot.

riteshnoronha avatar Dec 09 '24 17:12 riteshnoronha

@vargenau v0.2.0 has been released please give it a shot.

Yes, I have seen it. I will check. Thank you for the improvement.

vargenau avatar Dec 10 '24 10:12 vargenau