Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SBOM: merge strategies that deduplicate by name+version are suboptimal #5393

Open
chmeliik opened this issue Mar 11, 2024 · 1 comment
Open

SBOM: merge strategies that deduplicate by name+version are suboptimal #5393

chmeliik opened this issue Mar 11, 2024 · 1 comment
Labels
stale-issue

Comments

@chmeliik
Copy link

Description

The default merge strategies deduplicate SBOM components by name and version. This can result in losing components that are not duplicates.

For example:

  • A package with the same name and version can exist in many package ecosystems. For example, just about every popular language has a requests library.
  • CycloneDX components have a group attribute, which should be considered part of the package identity for some package ecosystems. E.g. JavaScript, where @types/react is a very different package than react.

For the purpose of de-duplicating components, a more appropriate identifier is typically the purl, which should uniquely identify a package.

Note that merging SBOMs by simply de-duplicating components is never optimal, as it often results in losing data from one or both SBOMs (e.g. the dependencies data). But that's a much harder problem to solve.
@github-actions GitHub Actions
Copy link

A friendly reminder that this issue had no activity for 30 days.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale-issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@chmeliik