-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(sbom): duplicate dependson #3261
fix(sbom): duplicate dependson #3261
Conversation
@@ -205,6 +205,7 @@ func (e *Marshaler) marshalComponents(r types.Report, bomRef string) (*[]cdx.Com | |||
pkgID := packageID(result.Target, pkg.Name, utils.FormatVersion(pkg), pkg.FilePath) | |||
if _, ok := bomRefMap[pkgID]; !ok { | |||
bomRefMap[pkgID] = pkgComponent.BOMRef | |||
componentDependencies = append(componentDependencies, cdx.Dependency{Ref: pkgComponent.BOMRef}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why could it be duplicated? componentDependencies
is defined per types.Result
. The duplicate should not exist in Result.Packages
.
@@ -247,8 +246,8 @@ func (e *Marshaler) marshalComponents(r types.Report, bomRef string) (*[]cdx.Com | |||
} | |||
} | |||
|
|||
if result.Type == ftypes.NodePkg || result.Type == ftypes.PythonPkg || result.Type == ftypes.GoBinary || | |||
result.Type == ftypes.GemSpec || result.Type == ftypes.Jar || result.Type == ftypes.RustBinary { | |||
if result.Type == ftypes.NodePkg || result.Type == ftypes.PythonPkg || |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like this is the root. We aggregate Go/Rust binaries by mistake.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we no longer aggregating these components with this change, or would this only filter duplicates?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We no longer aggregate dependencies in Go/Rust binaries. It should have been a mistake.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh no. I was relying on this feature in my project. Any ideas for enabling go/rust binary parsing while generating SBoM with the new release?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No problem.
This feature modifies packages that depend on binaries so that they are not aggregated.
Before. (Aggregate package with the golang)
golang
- package A
- package B
- package C
After (Aggregate package with the package)
Binary A
- package A
- package B
Binary B
- package C
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We just don't aggregate those dependencies. You are still able to see those packages in SBOM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you, @masahiro331 and @knqyf263, for the detailed explanation!
Description
Related issues
Checklist