-
-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug in merging json SBOMs with empty component lists #364
Comments
Also, it worth mentioning that that the Reproduction: bom1.json{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:957c05a9-5f45-4fhm-aaa1-49df4c08c61a",
"version": 1,
"metadata": {
"timestamp": "2024-04-18T11:24:03Z",
"component": {
"type": "container",
"bom-ref": "container1",
"name": "container1",
"version": "1",
"purl": "container1@1"
}
},
"dependencies": [
{
"dependsOn": [],
"ref": "container1@1"
}
]
},
"components": [] # 'components' property is present in the original SBOM bom1.xmlconvert json to xml with <?xml version="1.0" encoding="utf-8"?>
<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:957c05a9-5f45-4fhm-aaa1-49df4c08c61a" version="1" xmlns="http://cyclonedx.org/schema/bom/1.5">
<metadata>
<timestamp>2024-04-18T11:24:03Z</timestamp>
<component type="container" bom-ref="container1">
<name>container1</name>
<version>1</version>
<purl>container1@1</purl>
</component>
</metadata>
<components />
<dependencies>
<dependency ref="container1@1" />
</dependencies>
</bom> bom1.jsonNow convert the xml SBOM back to json {
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:957c05a9-5f45-4fhm-aaa1-49df4c08c61a",
"version": 1,
"metadata": {
"timestamp": "2024-04-18T11:24:03Z",
"component": {
"type": "container",
"bom-ref": "container1",
"name": "container1",
"version": "1",
"licenses": [],
"purl": "container1@1"
},
"licenses": [],
"lifecycles": []
},
"dependencies": [
{
"ref": "container1@1"
}
],
"vulnerabilities": [],
"annotations": [],
"properties": [],
"formulation": []
# The components property is missing here
} |
This behavior is caused by the check In general, the question would be what exactly the semantics of the flat merge need to be, compare also |
I believe that the current design of the flat merge command when specifying the |
When merging multiple SBOMs and specifying the
--name
and--version
arguments, then the top level components of the SBOMs must be added to the components list of the new merged SBOM. However, if the input SBOMs are missing thecomponents
property, then the top level components of the input SBOMs will not be added to the list of components of the merged SBOM.Reproduction:
Consider the following 3 minimal SBOMs
bom1.json
bom2.json
bom3.json
merged.json
Now let's merge the 3 input SBOMs:
cyclonedx-win-x64.exe merge --input-files "bom1.json" "bom2.json" "bom3.json" --output-file "merged.json" --name "merged" --version "merged"
Result:
As you can see in the result, the
components
property is missing and the top level components of the input SBOMs are lost. Interestingly, components would be added only after first input SBOM that contains acomponents
property is merged. Ifbom2.json
contains thecomponents
property, then the result would be:bom2.json
merged.json
The text was updated successfully, but these errors were encountered: