[go: up one dir, main page]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

call new flatMerge method #305

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

call new flatMerge method #305

wants to merge 2 commits into from

Conversation

fnxpt
Copy link
@fnxpt fnxpt commented Feb 8, 2023

call new flatMerge method
4ab48e3 
Signed-off-by: Marlon Tojal <marlont@backbase.com>
@fnxpt
Copy link
Author
fnxpt commented Jun 9, 2023

@coderpatros can you merge this and create a new version

jimklimov
jimklimov suggested changes Jul 20, 2023
View reviewed changes
Copy link
Contributor
@jimklimov jimklimov left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tried to build this change: needs also a bump in src/cyclonedx/cyclonedx.csproj to newer CycloneDX.Utils (5.4.0 is current) to include the library API update from CycloneDX/cyclonedx-dotnet-library#199

Nearby CycloneDX.Spdx.Interop referred to same version, so bump it too probably?..

cyclonedx-cli/src/cyclonedx/cyclonedx.csproj

Lines 18 to 19 in 4ab48e3

<PackageReference Include="CycloneDX.Utils" Version="5.2.3" />
<PackageReference Include="CycloneDX.Spdx.Interop" Version="5.2.3" />

@jimklimov
Copy link
Contributor

Works great for me, cut a top-level project SBOM from 36K apparent components to 1K :)

Still, for some items I still see dupes; in my case these are components that originated from Maven POM dependency trees and have different scope values (e.g. missing in one dep-tree branch and required in another, I suppose - maybe I misunderstood this progeny, after all the "scope" in question is a CycloneDX concept and not necessarily related to a Maven concept).

The resulting big merged SBOM thus has several entries under components for the specified bom-ref which contradicts the spec which requires these to be unique in the document: https://cyclonedx.org/docs/1.4/json/#metadata_component_bom-ref

Would it be possible to further mash together existing objects with same identifier? In particular, the scope absent and required "SHOULD" per spec be treated as equivalent, so are an easy target: https://cyclonedx.org/docs/1.4/json/#metadata_component_scope

@fnxpt
bump dependency version
e2ccbca 
Signed-off-by: Marlon Pina Tojal <marlont@backbase.com>
@fnxpt
Copy link
Author
fnxpt commented Jul 20, 2023

@jimklimov maybe you can post some examples of the nodes that are duplicated.

@jimklimov
Copy link
Contributor

Sure, for example:

    {
      "type": "library",
      "bom-ref": "pkg:maven/com.vaadin.external.google/android-json@0.0.20131108.vaadin1?type=jar",
      "group": "com.vaadin.external.google",
      "name": "android-json",
      "version": "0.0.20131108.vaadin1",
      "description": "\u00A0\u00A0JSON (JavaScript Object Notation) is a lightweight data-interchange format. This is the org.json compatible Android implementation extracted from the Android SDK \u00A0",
      "scope": "required",
      "hashes": [
        {
          "alg": "MD5",
          "content": "10612241a9cc269501a7a2b8a984b949"
        },
        {
          "alg": "SHA-1",
          "content": "fa26d351fe62a6a17f5cda1287c1c6110dec413f"
        },
        {
          "alg": "SHA-256",
          "content": "dfb7bae2f404cfe0b72b4d23944698cb716b7665171812a0a4d0f5926c0fac79"
        },
        {
          "alg": "SHA-512",
          "content": "c4a06a0a3ce7bdbee702c06944265c050a4c8d2fbd21c248936e2edfdab63acea30f2cf3568d3c21a559940d939985a8b10d30aff972a3e8cbeb392c0b02da3a"
        },
        {
          "alg": "SHA-384",
          "content": "60d1044b5439cdf5eb621118cb0581365ab4f023a30998b238b87854236f03d8395d45b0262fb812335ff904cb77f25f"
        },
        {
          "alg": "SHA3-384",
          "content": "b80ebdbec2127279ca402ca52e50374d3ca773376258f6aa588b442822ee7362de8cca206db71b79862bde84018cf450"
        },
        {
          "alg": "SHA3-256",
          "content": "6285b1ac8ec5fd339c7232affd9c08e6daf91dfa18ef8ae7855f52281d76627e"
        },
        {
          "alg": "SHA3-512",
          "content": "de7ed83f73670213b4eeacfd7b3ceb7fec7d88ac877f41aeaacf43351d04b34572f2edc9a8f623af5b3fccab3dac2cc048f5c8803c1d4dcd1ff975cd6005124d"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "Apache-2.0",
            "url": "https://www.apache.org/licenses/LICENSE-2.0"
          }
        }
      ],
      "purl": "pkg:maven/com.vaadin.external.google/android-json@0.0.20131108.vaadin1?type=jar",
      "externalReferences": [
        {
          "url": "http://developer.android.com/sdk",
          "type": "website"
        },
        {
          "url": "http://oss.sonatype.org/content/repositories/vaadin-releases/",
          "type": "distribution"
        },
        {
          "url": "http://developer.android.com/sdk/",
          "type": "vcs"
        }
      ]
    },

vs. same without a scope:

    {
      "type": "library",
      "bom-ref": "pkg:maven/com.vaadin.external.google/android-json@0.0.20131108.vaadin1?type=jar",
      "group": "com.vaadin.external.google",
      "name": "android-json",
      "version": "0.0.20131108.vaadin1",
      "description": "\u00A0\u00A0JSON (JavaScript Object Notation) is a lightweight data-interchange format. This is the org.json compatible Android implementation extracted from the Android SDK \u00A0",
      "hashes": [
        {
          "alg": "MD5",
          "content": "10612241a9cc269501a7a2b8a984b949"
        },
        {
          "alg": "SHA-1",
          "content": "fa26d351fe62a6a17f5cda1287c1c6110dec413f"
        },
        {
          "alg": "SHA-256",
          "content": "dfb7bae2f404cfe0b72b4d23944698cb716b7665171812a0a4d0f5926c0fac79"
        },
        {
          "alg": "SHA-512",
          "content": "c4a06a0a3ce7bdbee702c06944265c050a4c8d2fbd21c248936e2edfdab63acea30f2cf3568d3c21a559940d939985a8b10d30aff972a3e8cbeb392c0b02da3a"
        },
        {
          "alg": "SHA-384",
          "content": "60d1044b5439cdf5eb621118cb0581365ab4f023a30998b238b87854236f03d8395d45b0262fb812335ff904cb77f25f"
        },
        {
          "alg": "SHA3-384",
          "content": "b80ebdbec2127279ca402ca52e50374d3ca773376258f6aa588b442822ee7362de8cca206db71b79862bde84018cf450"
        },
        {
          "alg": "SHA3-256",
          "content": "6285b1ac8ec5fd339c7232affd9c08e6daf91dfa18ef8ae7855f52281d76627e"
        },
        {
          "alg": "SHA3-512",
          "content": "de7ed83f73670213b4eeacfd7b3ceb7fec7d88ac877f41aeaacf43351d04b34572f2edc9a8f623af5b3fccab3dac2cc048f5c8803c1d4dcd1ff975cd6005124d"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "Apache-2.0",
            "url": "https://www.apache.org/licenses/LICENSE-2.0"
          }
        }
      ],
      "purl": "pkg:maven/com.vaadin.external.google/android-json@0.0.20131108.vaadin1?type=jar",
      "externalReferences": [
        {
          "url": "http://developer.android.com/sdk",
          "type": "website"
        },
        {
          "url": "http://oss.sonatype.org/content/repositories/vaadin-releases/",
          "type": "distribution"
        },
        {
          "url": "http://developer.android.com/sdk/",
          "type": "vcs"
        }
      ]
    },

In original SBOMs (and the merged one without this PR in the tool) there were 113 mentions of the component, now just these two. It will take some time and effort to check if others differ by just scope or something else. Might in fact be faster to fix this one and see if any other duplicates remain, I'll try something of the sort :D

@jimklimov jimklimov mentioned this pull request Aug 11, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jimklimov jimklimov jimklimov requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fnxpt @jimklimov