-
-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
metadata.tools
not merged correctly when one SBOM uses legacy format and the other uses the newer format
#408
Comments
metadata.tools
not merged correctly when one SBOM uses legacy format and the other uses the newer format
@WIStudent I can see why this is happening, but I'm not sure what is the best way is to resolve it. Here is the rough summary:
As a side-note, I think the xml serialization will write out both variants (and thus violate the specs). |
It is a tricky problem because an automatic conversion between the legacy format and the new format would require making some assumptions. One solution could be to let the user choose a
Another solution would be to only implement the In my case I have a Java Spring application that uses npm dependencies for parts of its frontend. I am using |
I have 2 SBOM files. One created with
cyclonedx-maven-plugin
and one created with
@cyclonedx/cyclonedx-npm
(I removed irrelevant parts for readability).
cyclonedx-maven-plugin
creates an SBOM that uses the newer format for themetadata.tools
field,@cyclonedx/cyclonedx-npm
creates one that uses the legacy format.If I try to merge these two SBOMs, only the tools in the legacy format are included in the result:
cyclonedx-cli merge --input-files maven-sbom.json npm-sbom.json --output-format json > merged-sbom.json
The order of the input files did not matter
The text was updated successfully, but these errors were encountered: