-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] SBOM generation for CycloneDX generates duplicate dependencies #6967
Comments
did you experience the same issue when generating the SBOM via official tooling https://github.com/CycloneDX/cyclonedx-node-npm ? |
@bdehamer see my earlier remarks related to intrinsic impossible deduplication in |
@jamietanna I'm digging into this issue and considering a couple different solutions. I'd be curious to hear which of these best meets the need of your SBOM use cases . . . The IssueIn certain circumstances, it is not possible for npm to completely deduplicate packages in the
My Since version 1.14.1 of This is why the resulting SBOM fails validation -- we end up with multiple entries which have identical Solution 1One way to address this would be to treat each package that appears in the tree as a distinct dependency -- even if it is technically identical to some other dependency already present in the tree. Given the example above, this solution would result in [
{
"bom-ref": "foo@0.0.1-tslib@1.14.1",
"type": "library",
"name": "tslib",
"version": "1.14.1",
},
{
"bom-ref": "bar@0.0.1-tslib@1.14.1",
"type": "library",
"name": "tslib",
"version": "1.14.1",
}
] I believe that this is similar to the how cyclonedx-node-npm solves this problem. Solution 2The other approach would be to deduplicate that packages before adding them to the SBOM. Instead of literally mirroring the layout of packages in the [
{
"bom-ref": "tslib@1.14.1",
"type": "library",
"name": "tslib",
"version": "1.14.1",
}
] In this case, we're not trying to represent the layout of the I think there are cases to be made for either of these solutions, but I'd like to know which of these best matches the output you'd expect to see in a valid SBOM? |
It's been a while - but I'd strongly vote for option 2. |
We use OWASP Dependency-Track and just updated it to v4.11.1. It now validates uploaded SBOMs and rejects those generated by npm:
It sounds like the problem is duplicate entries. The official tooling does not exhibit this problem. |
You may want to try CycloneDX's official SBOM generator for NPM - it is properly maintained and does not have those issues. |
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
The generated CycloneDX SBOM may not be able to be parsed by tools, as it generates duplicate dependencies.
Expected Behavior
A CycloneDX v1.5 SBOM generated from a repository can be parsed correctly.
Steps To Reproduce
npm sbom --sbom-format cyclonedx > cyclonedx.json
go run github.com/CycloneDX/sbom-utility@latest validate --input-file cyclonedx.json
renovate-graph.cyclonedx.json
Environment
The text was updated successfully, but these errors were encountered: