Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge command - inconsistent dependencies tree with/without name or version parameters #353

Open
Prochy opened this issue Dec 16, 2023 · 0 comments
Open

Merge command - inconsistent dependencies tree with/without name or version parameters #353

Prochy opened this issue Dec 16, 2023 · 0 comments

Comments

@Prochy
Copy link

Prochy commented Dec 16, 2023
edited

A command:
cyclonedx-win-x64.exe merge --input-files Second.xml First.xml --name "Test" --version "1.0.0.0" --output-file sbom.json --output-format json

creates a different dependencies tree than the following command:
cyclonedx-win-x64.exe merge --input-files Second.xml First.xml --output-file sbom.json --output-format json

If name and version are omitted, it creates the dependency tree between the root component and the first file input sbom component.

  "metadata": {
    "tools": [
      {
        "vendor": "CycloneDX",
        "name": "CycloneDX module for .NET",
        "version": "2.10.0.0"
      }
    ],
    "component": {
      "type": "application",
      "bom-ref": "SecondProject@0.0.0",
      "name": "SecondProject",
      "version": "0.0.0"
    }
  },

Versus with a version or name parameter:

  "metadata": {
    "tools": [
      {
        "vendor": "CycloneDX",
        "name": "CycloneDX module for .NET",
        "version": "2.10.0.0"
      }
    ],
    "component": {
      "type": "application",
      "name": "Test",
      "version": "1.0.0.0"
    }
  },

Question
Is it correct it generates a different dependency tree? In my opinion, I guess it should create the same file except for the name and version parameter.
Also not sure if the root component shouldn't have a dependency to the input sboms (so the Test component should point to first and second component) but maybe for this reason I should use hierarchy parameter.
A depedendency tracker shows different dependency graph then.

File contents:
First:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:13aadae0-bd0c-486e-981a-4fa85176596d",
  "version": 1,
  "metadata": {
    "timestamp": "2023-12-16T09:08:04Z",
    "tools": [
      {
        "vendor": "CycloneDX",
        "name": "CycloneDX module for .NET",
        "version": "2.10.0.0"
      }
    ],
    "component": {
      "type": "application",
      "bom-ref": "FirstProject@0.0.0",
      "name": "FirstProject",
      "version": "0.0.0"
    }
  },
  "components": [
    {
      "type": "library",
      "bom-ref": "pkg:nuget/Microsoft.DotNet.ILCompiler@8.0.0",
      "author": "Microsoft",
      "name": "Microsoft.DotNet.ILCompiler",
      "version": "8.0.0",
      "description": "Provides a native AOT compiler and runtime for .NET",
      "scope": "required",
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "8BD9B26DED9C25666E36E47DC51417315C5256C3D4BBF0BA508680A836D570841A06A2506B36F75F974F4BF27512BE130B5356F9230B2AE2906DC516E391DA9A"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ],
      "copyright": "\u00A9 Microsoft Corporation. All rights reserved.",
      "purl": "pkg:nuget/Microsoft.DotNet.ILCompiler@8.0.0",
      "externalReferences": [
        {
          "url": "https://dot.net/",
          "type": "website"
        },
        {
          "url": "https://github.com/dotnet/runtime",
          "type": "vcs"
        }
      ]
    },
    {
      "type": "library",
      "bom-ref": "pkg:nuget/Microsoft.NET.ILLink.Tasks@8.0.0",
      "author": "Microsoft",
      "name": "Microsoft.NET.ILLink.Tasks",
      "version": "8.0.0",
      "description": "MSBuild tasks for running the IL Linker",
      "scope": "required",
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "7FCFE8685558D875A773FF41455ABD765280F7C50DD725F0D580ACDC3EA2313560F04E52070B91AAFCDD912F2C7C8D7D7F9F79D586BCD1CD6125268773B0402E"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ],
      "copyright": "\u00A9 Microsoft Corporation. All rights reserved.",
      "purl": "pkg:nuget/Microsoft.NET.ILLink.Tasks@8.0.0",
      "externalReferences": [
        {
          "url": "https://dot.net/",
          "type": "website"
        },
        {
          "url": "https://github.com/dotnet/runtime",
          "type": "vcs"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "FirstProject@0.0.0",
      "dependsOn": [
        "pkg:nuget/Microsoft.DotNet.ILCompiler@8.0.0",
        "pkg:nuget/Microsoft.NET.ILLink.Tasks@8.0.0"
      ]
    },
    {
      "ref": "pkg:nuget/Microsoft.DotNet.ILCompiler@8.0.0",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/Microsoft.NET.ILLink.Tasks@8.0.0",
      "dependsOn": []
    }
  ]
}

Second:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:dd29f5b8-fe5b-440f-9cec-dbf1b29856b7",
  "version": 1,
  "metadata": {
    "timestamp": "2023-12-16T09:07:45Z",
    "tools": [
      {
        "vendor": "CycloneDX",
        "name": "CycloneDX module for .NET",
        "version": "2.10.0.0"
      }
    ],
    "component": {
      "type": "application",
      "bom-ref": "SecondProject@0.0.0",
      "name": "SecondProject",
      "version": "0.0.0"
    }
  },
  "components": [
    {
      "type": "library",
      "bom-ref": "pkg:nuget/Microsoft.DotNet.ILCompiler@8.0.0",
      "author": "Microsoft",
      "name": "Microsoft.DotNet.ILCompiler",
      "version": "8.0.0",
      "description": "Provides a native AOT compiler and runtime for .NET",
      "scope": "required",
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "8BD9B26DED9C25666E36E47DC51417315C5256C3D4BBF0BA508680A836D570841A06A2506B36F75F974F4BF27512BE130B5356F9230B2AE2906DC516E391DA9A"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ],
      "copyright": "\u00A9 Microsoft Corporation. All rights reserved.",
      "purl": "pkg:nuget/Microsoft.DotNet.ILCompiler@8.0.0",
      "externalReferences": [
        {
          "url": "https://dot.net/",
          "type": "website"
        },
        {
          "url": "https://github.com/dotnet/runtime",
          "type": "vcs"
        }
      ]
    },
    {
      "type": "library",
      "bom-ref": "pkg:nuget/Microsoft.NET.ILLink.Tasks@8.0.0",
      "author": "Microsoft",
      "name": "Microsoft.NET.ILLink.Tasks",
      "version": "8.0.0",
      "description": "MSBuild tasks for running the IL Linker",
      "scope": "required",
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "7FCFE8685558D875A773FF41455ABD765280F7C50DD725F0D580ACDC3EA2313560F04E52070B91AAFCDD912F2C7C8D7D7F9F79D586BCD1CD6125268773B0402E"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ],
      "copyright": "\u00A9 Microsoft Corporation. All rights reserved.",
      "purl": "pkg:nuget/Microsoft.NET.ILLink.Tasks@8.0.0",
      "externalReferences": [
        {
          "url": "https://dot.net/",
          "type": "website"
        },
        {
          "url": "https://github.com/dotnet/runtime",
          "type": "vcs"
        }
      ]
    },
    {
      "type": "library",
      "bom-ref": "pkg:nuget/Newtonsoft.Json@13.0.3",
      "author": "James Newton-King",
      "name": "Newtonsoft.Json",
      "version": "13.0.3",
      "description": "Json.NET is a popular high-performance JSON framework for .NET",
      "scope": "required",
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "99B252BC77D1C5F5F7B51FD4EA7D5653E9961D7B3061CF9207F8643A9C7CC9965EEBC84D6467F2989BB4723B1A244915CC232A78F894E8B748CA882A7C89FB92"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ],
      "copyright": "Copyright \u00A9 James Newton-King 2008",
      "purl": "pkg:nuget/Newtonsoft.Json@13.0.3",
      "externalReferences": [
        {
          "url": "https://www.newtonsoft.com/json",
          "type": "website"
        },
        {
          "url": "https://github.com/JamesNK/Newtonsoft.Json",
          "type": "vcs"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:nuget/Microsoft.DotNet.ILCompiler@8.0.0",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/Microsoft.NET.ILLink.Tasks@8.0.0",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/Newtonsoft.Json@13.0.3",
      "dependsOn": []
    },
    {
      "ref": "SecondProject@0.0.0",
      "dependsOn": [
        "pkg:nuget/Microsoft.DotNet.ILCompiler@8.0.0",
        "pkg:nuget/Microsoft.NET.ILLink.Tasks@8.0.0",
        "pkg:nuget/Newtonsoft.Json@13.0.3"
      ]
    }
  ]
}

cyclonedx-win-x64.exe merge --input-files Second.xml First.xml --name "Test" --version "1.0.0.0" --output-file sbom.json --output-format json

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:73930165-b476-4388-8162-5e9a56060c9b",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "vendor": "CycloneDX",
        "name": "CycloneDX module for .NET",
        "version": "2.10.0.0"
      }
    ],
    "component": {
      "type": "application",
      "name": "Test",
      "version": "1.0.0.0"
    }
  },
  "components": [
    {
      "type": "library",
      "bom-ref": "pkg:nuget/Microsoft.DotNet.ILCompiler@8.0.0",
      "author": "Microsoft",
      "name": "Microsoft.DotNet.ILCompiler",
      "version": "8.0.0",
      "description": "Provides a native AOT compiler and runtime for .NET",
      "scope": "required",
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "8BD9B26DED9C25666E36E47DC51417315C5256C3D4BBF0BA508680A836D570841A06A2506B36F75F974F4BF27512BE130B5356F9230B2AE2906DC516E391DA9A"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ],
      "copyright": "\u00A9 Microsoft Corporation. All rights reserved.",
      "purl": "pkg:nuget/Microsoft.DotNet.ILCompiler@8.0.0",
      "externalReferences": [
        {
          "url": "https://dot.net/",
          "type": "website"
        },
        {
          "url": "https://github.com/dotnet/runtime",
          "type": "vcs"
        }
      ]
    },
    {
      "type": "library",
      "bom-ref": "pkg:nuget/Microsoft.NET.ILLink.Tasks@8.0.0",
      "author": "Microsoft",
      "name": "Microsoft.NET.ILLink.Tasks",
      "version": "8.0.0",
      "description": "MSBuild tasks for running the IL Linker",
      "scope": "required",
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "7FCFE8685558D875A773FF41455ABD765280F7C50DD725F0D580ACDC3EA2313560F04E52070B91AAFCDD912F2C7C8D7D7F9F79D586BCD1CD6125268773B0402E"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ],
      "copyright": "\u00A9 Microsoft Corporation. All rights reserved.",
      "purl": "pkg:nuget/Microsoft.NET.ILLink.Tasks@8.0.0",
      "externalReferences": [
        {
          "url": "https://dot.net/",
          "type": "website"
        },
        {
          "url": "https://github.com/dotnet/runtime",
          "type": "vcs"
        }
      ]
    },
    {
      "type": "library",
      "bom-ref": "pkg:nuget/Newtonsoft.Json@13.0.3",
      "author": "James Newton-King",
      "name": "Newtonsoft.Json",
      "version": "13.0.3",
      "description": "Json.NET is a popular high-performance JSON framework for .NET",
      "scope": "required",
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "99B252BC77D1C5F5F7B51FD4EA7D5653E9961D7B3061CF9207F8643A9C7CC9965EEBC84D6467F2989BB4723B1A244915CC232A78F894E8B748CA882A7C89FB92"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ],
      "copyright": "Copyright \u00A9 James Newton-King 2008",
      "purl": "pkg:nuget/Newtonsoft.Json@13.0.3",
      "externalReferences": [
        {
          "url": "https://www.newtonsoft.com/json",
          "type": "website"
        },
        {
          "url": "https://github.com/JamesNK/Newtonsoft.Json",
          "type": "vcs"
        }
      ]
    },
    {
      "type": "application",
      "bom-ref": "SecondProject@0.0.0",
      "name": "SecondProject",
      "version": "0.0.0"
    },
    {
      "type": "application",
      "bom-ref": "FirstProject@0.0.0",
      "name": "FirstProject",
      "version": "0.0.0"
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:nuget/Microsoft.DotNet.ILCompiler@8.0.0",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/Microsoft.NET.ILLink.Tasks@8.0.0",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/Newtonsoft.Json@13.0.3",
      "dependsOn": []
    },
    {
      "ref": "SecondProject@0.0.0",
      "dependsOn": [
        "pkg:nuget/Microsoft.DotNet.ILCompiler@8.0.0",
        "pkg:nuget/Microsoft.NET.ILLink.Tasks@8.0.0",
        "pkg:nuget/Newtonsoft.Json@13.0.3"
      ]
    },
    {
      "ref": "FirstProject@0.0.0",
      "dependsOn": [
        "pkg:nuget/Microsoft.DotNet.ILCompiler@8.0.0",
        "pkg:nuget/Microsoft.NET.ILLink.Tasks@8.0.0"
      ]
    }
  ]
}

cyclonedx-win-x64.exe merge --input-files Second.xml First.xml --output-file sbom.json --output-format json:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:9ea8f151-ebf4-4c59-9da9-0cf3c433d12e",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "vendor": "CycloneDX",
        "name": "CycloneDX module for .NET",
        "version": "2.10.0.0"
      }
    ],
    "component": {
      "type": "application",
      "bom-ref": "SecondProject@0.0.0",
      "name": "SecondProject",
      "version": "0.0.0"
    }
  },
  "components": [
    {
      "type": "library",
      "bom-ref": "pkg:nuget/Microsoft.DotNet.ILCompiler@8.0.0",
      "author": "Microsoft",
      "name": "Microsoft.DotNet.ILCompiler",
      "version": "8.0.0",
      "description": "Provides a native AOT compiler and runtime for .NET",
      "scope": "required",
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "8BD9B26DED9C25666E36E47DC51417315C5256C3D4BBF0BA508680A836D570841A06A2506B36F75F974F4BF27512BE130B5356F9230B2AE2906DC516E391DA9A"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ],
      "copyright": "\u00A9 Microsoft Corporation. All rights reserved.",
      "purl": "pkg:nuget/Microsoft.DotNet.ILCompiler@8.0.0",
      "externalReferences": [
        {
          "url": "https://dot.net/",
          "type": "website"
        },
        {
          "url": "https://github.com/dotnet/runtime",
          "type": "vcs"
        }
      ]
    },
    {
      "type": "library",
      "bom-ref": "pkg:nuget/Microsoft.NET.ILLink.Tasks@8.0.0",
      "author": "Microsoft",
      "name": "Microsoft.NET.ILLink.Tasks",
      "version": "8.0.0",
      "description": "MSBuild tasks for running the IL Linker",
      "scope": "required",
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "7FCFE8685558D875A773FF41455ABD765280F7C50DD725F0D580ACDC3EA2313560F04E52070B91AAFCDD912F2C7C8D7D7F9F79D586BCD1CD6125268773B0402E"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ],
      "copyright": "\u00A9 Microsoft Corporation. All rights reserved.",
      "purl": "pkg:nuget/Microsoft.NET.ILLink.Tasks@8.0.0",
      "externalReferences": [
        {
          "url": "https://dot.net/",
          "type": "website"
        },
        {
          "url": "https://github.com/dotnet/runtime",
          "type": "vcs"
        }
      ]
    },
    {
      "type": "library",
      "bom-ref": "pkg:nuget/Newtonsoft.Json@13.0.3",
      "author": "James Newton-King",
      "name": "Newtonsoft.Json",
      "version": "13.0.3",
      "description": "Json.NET is a popular high-performance JSON framework for .NET",
      "scope": "required",
      "hashes": [
        {
          "alg": "SHA-512",
          "content": "99B252BC77D1C5F5F7B51FD4EA7D5653E9961D7B3061CF9207F8643A9C7CC9965EEBC84D6467F2989BB4723B1A244915CC232A78F894E8B748CA882A7C89FB92"
        }
      ],
      "licenses": [
        {
          "license": {
            "id": "MIT"
          }
        }
      ],
      "copyright": "Copyright \u00A9 James Newton-King 2008",
      "purl": "pkg:nuget/Newtonsoft.Json@13.0.3",
      "externalReferences": [
        {
          "url": "https://www.newtonsoft.com/json",
          "type": "website"
        },
        {
          "url": "https://github.com/JamesNK/Newtonsoft.Json",
          "type": "vcs"
        }
      ]
    },
    {
      "type": "application",
      "bom-ref": "SecondProject@0.0.0",
      "name": "SecondProject",
      "version": "0.0.0"
    },
    {
      "type": "application",
      "bom-ref": "FirstProject@0.0.0",
      "name": "FirstProject",
      "version": "0.0.0"
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:nuget/Microsoft.DotNet.ILCompiler@8.0.0",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/Microsoft.NET.ILLink.Tasks@8.0.0",
      "dependsOn": []
    },
    {
      "ref": "pkg:nuget/Newtonsoft.Json@13.0.3",
      "dependsOn": []
    },
    {
      "ref": "SecondProject@0.0.0",
      "dependsOn": [
        "pkg:nuget/Microsoft.DotNet.ILCompiler@8.0.0",
        "pkg:nuget/Microsoft.NET.ILLink.Tasks@8.0.0",
        "pkg:nuget/Newtonsoft.Json@13.0.3"
      ]
    },
    {
      "ref": "FirstProject@0.0.0",
      "dependsOn": [
        "pkg:nuget/Microsoft.DotNet.ILCompiler@8.0.0",
        "pkg:nuget/Microsoft.NET.ILLink.Tasks@8.0.0"
      ]
    }
  ]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Prochy