Skip to content

fix(sbom): deduplicate sbom dependencies#7992

Merged
wraithgar merged 1 commit intolatestfrom
bdehamer/issue-6967
Dec 20, 2024
Merged

fix(sbom): deduplicate sbom dependencies#7992
wraithgar merged 1 commit intolatestfrom
bdehamer/issue-6967

Conversation

@bdehamer
Copy link
Contributor

@bdehamer bdehamer commented Dec 18, 2024

Certain project dependency trees may result in an SBOM with duplicate entries. This fix ensures that each unique dependency (identified by the combination of package name and version) only appears in the SBOM once. Applies to both SPDX and CycloneDX SBOM formats.

Specific to the CycloneDX format, this change also removes the cdx:npm:package:path property from the component entries in the generated SBOM. Since the same package may be present at multiple paths within the project and we're now de-duplicating those packages, it no longer makes sense to include this in the SBOM. This does not impact the SPDX format as there is no equivalent property.

Fixes: #6967

@bdehamer bdehamer requested a review from a team as a code owner December 18, 2024 23:07
@bdehamer bdehamer marked this pull request as draft December 18, 2024 23:17
@bdehamer bdehamer force-pushed the bdehamer/issue-6967 branch from 2869bea to fef6c57 Compare December 18, 2024 23:19
@bdehamer
fix(sbom) deduplicate dependencies
54caf08 
Certain project dependency trees may result in an SBOM with duplicate
entries. This fix ensures that each unique dependency (identified by
the combination of package name and version) only appears in the SBOM
once. Applies to both SPDX and CycloneDX SBOM formats.

Signed-off-by: Brian DeHamer <bdehamer@github.com>
@bdehamer bdehamer force-pushed the bdehamer/issue-6967 branch from fef6c57 to 54caf08 Compare December 19, 2024 19:01
@bdehamer bdehamer changed the title fix(sbom) deduplicate sbom dependencies fix(sbom): deduplicate sbom dependencies Dec 19, 2024
@bdehamer bdehamer marked this pull request as ready for review December 19, 2024 19:06
wraithgar
wraithgar reviewed Dec 20, 2024
View reviewed changes
@wraithgar wraithgar merged commit ab9ddc0 into latest Dec 20, 2024
@wraithgar wraithgar deleted the bdehamer/issue-6967 branch December 20, 2024 16:55
@github-actions github-actions bot mentioned this pull request Dec 20, 2024
Merged
@npm-cli-bot npm-cli-bot mentioned this pull request Jan 29, 2025
Merged
@milaninfy milaninfy mentioned this pull request Mar 12, 2025
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wraithgar wraithgar wraithgar approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] SBOM generation for CycloneDX generates duplicate dependencies

2 participants

@bdehamer @wraithgar