You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The default merge strategies deduplicate SBOM components by name and version. This can result in losing components that are not duplicates.
For example:
A package with the same name and version can exist in many package ecosystems. For example, just about every popular language has a requests library.
CycloneDX components have a group attribute, which should be considered part of the package identity for some package ecosystems. E.g. JavaScript, where @types/react is a very different package than react.
For the purpose of de-duplicating components, a more appropriate identifier is typically the purl, which should uniquely identify a package.
Note that merging SBOMs by simply de-duplicating components is never optimal, as it often results in losing data from one or both SBOMs (e.g. the dependencies data). But that's a much harder problem to solve.
The text was updated successfully, but these errors were encountered:
Description
The default merge strategies deduplicate SBOM components by name and version. This can result in losing components that are not duplicates.
For example:
requests
library.@types/react
is a very different package thanreact
.For the purpose of de-duplicating components, a more appropriate identifier is typically the purl, which should uniquely identify a package.
Note that merging SBOMs by simply de-duplicating components is never optimal, as it often results in losing data from one or both SBOMs (e.g. the dependencies data). But that's a much harder problem to solve.
The text was updated successfully, but these errors were encountered: