-
-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merging SBOMs doesn’t get rid of duplicates #356
Comments
+1 |
+1. This blows up count of both components and vulnerabilities in dependency-track.
|
+1 |
+1 Similar flow, we have individual components but also a global "the world" release level component that dependency resolution may be helpful at. Foreach SBOM merged in I see a separate Component. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I have a Gradle multi-project build, in which i generate an SBOM for java dependencies for each project using the CycloneDX Gradle plugin. I want to merge all the existing SBOMs, however the resulting SBOM doesn’t get rid of duplicated dependencies.
Steps to reproduce
dependencies for the first project
dependencies for the second project
merge
command to merge the two SBOMsCycloneDX cli version: 0.25.0
0.25.0
CycloneDX Gradle plugin version:
1.7.4
Expected behavior
although the commons-lang3 dependency is defined in both projects, I only want it to be declared in the final SBOM once.
Current behavior
the current SBOM declares the commons-lang3 dependency twice.
The text was updated successfully, but these errors were encountered: