-
-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Metadata components should not have sub-components #763
Comments
More specifically, the guide states that subcomponents should be used in case of a "Multi-Product Solution" rather than a "Multi-Module Product". You can work around this today with Could you share the exact error that DependencyTrack reports? |
Hi, thanks for your advice.
Sadly, I don't see too much difference in the resulting SBoMs: > cargo cyclonedx --describe=crate -a
> cargo cyclonedx --describe=binaries -a
> diff my-project*.xml
2c2
< <bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:5409cd74-0ee9-4d79-a6ff-59855524e122" version="1">
---
> <bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:74c46a33-405f-49e2-980d-a592c338df5a" version="1">
4c4
< <timestamp>2024-08-23T06:07:23.503610541Z</timestamp>
---
> <timestamp>2024-08-23T06:07:14.152732469Z</timestamp>
25c25
< <purl>pkg:cargo/[email protected]?download_url=file://.#src/main.rs</purl>
---
> <purl>pkg:cargo/[email protected]?download_url=file://.</purl>
It boils down to parsing errors with Jackson in the Edit: formatting |
As of now, cargo-cyclonedx explicitly creates sub-components for the component entry in the metadata for the respective compilation targets.
This appears to contradict with the suggestions in the Authoritative Guide to SBOM, that states, that "The SBOM should have a single bom.metadata.component without subcomponents".
This has the consequence, that generated SBoMs currently cannot be properly processed by third-party tools, e.g., Dependency Track.
The text was updated successfully, but these errors were encountered: