Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generates BOM with duplicate dependencies #1419

Closed
marob opened this issue Oct 15, 2024 · 2 comments · Fixed by #1424
Closed

Generates BOM with duplicate dependencies #1419

marob opened this issue Oct 15, 2024 · 2 comments · Fixed by #1424

Comments

@marob
Copy link
Contributor

marob commented Oct 15, 2024

On a PHP composer projet having 2 composer.json files in a vendor-bin directory, cdxgen generated a BOM with duplicated dependencies:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "version": 1,
  ...
  },
  "components": [
    ...
  ],
  "services": [],
  "dependencies": [
    {
      "ref": "pkg:composer/app@latest",
      "dependsOn": []
    },
    {
      "ref": "pkg:composer/app@latest",
      "dependsOn": []
    },
    ...
  ]
}

It may be due to

cdxgen/lib/cli/index.js

Line 4900 in 5778776

dependencies.splice(0, 0, pdependencies);
adding the dependency without de-duplicating (after calling mergeDependencies that do some de-duplicating?).
@prabhu
Copy link
Contributor

prabhu commented Oct 15, 2024

@marob could you kindly share a repo to replicate this issue? Alternatively, could you send a PR to use mergeDependencies like you have identified?

@marob
Copy link
Contributor Author

marob commented Oct 15, 2024

Hi @prabhu.
I don't really have time for now. I created a repo with only the 2 files that should cause the issue (https://github.com/marob/cdxgen-1419) but I haven't tested it.

marob added a commit to marob/cdxgen that referenced this issue Oct 18, 2024
@marob
Do not duplicate parent dependencies in case of multiple composer.loc…
baa52cf 
…k files (CycloneDX#1419)

Signed-off-by: Maxime Robert <[email protected]>
This was referenced Oct 18, 2024
Closed
Merged
prabhu pushed a commit that referenced this issue Oct 19, 2024
@marob
Do not duplicate parent dependencies in case of multiple composer.loc…
bd06413 
…k files (#1419) (#1424)

Signed-off-by: Maxime Robert <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Do not duplicate parent dependencies in case of multiple composer.lock files (#1419) marob/cdxgen
2 participants
@prabhu @marob