The Component __lt__ function can result in invalid components SortedSet
#586
Comments
madpah
changed the title
__lt__ function can result in invalid components SortedSet
|
Whilst ordering is not important according to the CycloneDX schemas, the current implementation with it's use of I see no reason to update the |
|
If the bom has multiple components that have the same And since the remove SortedSet remove function tries to remove from both _set and _list, the command will raise an Exception. |
|
re: #586 (comment) |
Signed-off-by: Paul Horton <paul.horton@owasp.org>
|
An example would be having packages for: https://repo1.maven.org/maven2/com/google/googlejavaformat/google-java-format/1.19.1 Which contains jars for This is distinguished via purl. e.g.
though the actual components have the same type/group/name/version |
{
"bom-ref": "pkg:maven/com.google.googlejavaformat/google-java-format@1.19.1",
"group": "com.google.googlejavaformat",
"name": "google-java-format",
"purl": "pkg:maven/com.google.googlejavaformat/google-java-format@1.19.1",
"type": "library",
"version": "1.19.1"
},
{
"bom-ref": "pkg:maven/com.google.googlejavaformat/google-java-format@1.19.1?classifier=all-deps",
"group": "com.google.googlejavaformat",
"name": "google-java-format",
"purl": "pkg:maven/com.google.googlejavaformat/google-java-format@1.19.1?classifier=all-deps",
"type": "library",
"version": "1.19.1"
},
{
"bom-ref": "pkg:maven/com.google.googlejavaformat/google-java-format@1.19.1?classifier=sources",
"group": "com.google.googlejavaformat",
"name": "google-java-format",
"purl": "pkg:maven/com.google.googlejavaformat/google-java-format@1.19.1?classifier=sources",
"type": "library",
"version": "1.19.1"
}, |
|
re: #586 (comment) @joe-dipilato I do not understand. Why do you have the exact same component used multiple times? Is the following not the only correct form? {
"bom-ref": "pkg:maven/com.google.googlejavaformat/google-java-format@1.19.1",
"group": "com.google.googlejavaformat",
"name": "google-java-format",
"purl": "pkg:maven/com.google.googlejavaformat/google-java-format@1.19.1",
"type": "library",
"version": "1.19.1",
"externalReferences": [
{
"type": "distribution",
"url": "https://repo1.maven.org/maven2/com/google/googlejavaformat/google-java-format/1.19.1/google-java-format-1.19.1.jar"
}
// other external refs here ... maybe to `bom`, `sources`, etc...
]
}what is the practical use case in which you would have 4 different versions of |
|
@jkowalleck - Yeah this is based on a real-world example. If you take a look at https://repo1.maven.org/maven2/com/google/googlejavaformat/google-java-format/1.19.1/ There are many packages that need a qualifier to distinguish. |
|
@joe-dipilato and you have a CycloneDX which includes multiple of the |
|
In this case it's included in a bundled software artifact along several other software items that are distinguished by qualiers. As long as it's part of a real software distribution, I believe that the CycloneDx format is intended be able to represent the software dependencies. |
|
thank you for clarification. 💡 |
Since the lt function only compares type, group, name, version, the components SortedSet can have their ordering violated
This violates the constraints that containers use to track their elements.
Since adding or removing items from the sorted set will only be ordered based on the lt operator, items that have the same type/group/name/version are not ordered deterministically. this can result in checks for contains to pass for ._set but fail for _list.
An example use case is when an SBOM has multiple components that have the same type, group, name, and version, but DIFFERENT qualifiers etc..
The solution just requires updating the lt function to include additional criteria including the purl, cpe, etc...
An additional side-effect of the current lt operation is that the contents produced from the exact same code can produce different outputs.
The text was updated successfully, but these errors were encountered: