Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: duplicate entries in cyclonedx dependency list #2063

Merged
merged 1 commit into from
Aug 25, 2023
Merged

fix: duplicate entries in cyclonedx dependency list #2063

merged 1 commit into from
Aug 25, 2023

Conversation

kzantow
Copy link
Contributor

@kzantow kzantow commented Aug 25, 2023
edited
Loading

This PR corrects an issue where Syft is not outputting CycloneDX dependencies properly -- instead of one entry for a unique Ref, it was outputting multiple entries with the same Ref, which is not valid. The spec states: "All items must be unique", which seems to indicate each entry has a unique Ref and the cyclonedx-cli validate fails.

With this change, the latest cyclonedx-cli indicates the BOM is now valid:

$ cyclonedx-cli validate --input-file alpine.cdx.json
BOM validated successfully.

Fixes: #2062

@kzantow
fix: duplicate entries in cyclonedx dependency list
5f23c35 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow kzantow requested a review from a team August 25, 2023 13:53
@github-actions
Copy link

Benchmark Test Results

Benchmark results from the latest changes vs base branch 
goos: linux%0Agoarch: amd64%0Apkg: github.com/anchore/syft/test/integration%0Acpu: Intel(R) Xeon(R) CPU E5-2673 v4 @ 2.30GHz%0A                                                              │ ./.tmp/benchmark-a0a39b6.txt │%0A                                                              │            sec/op            │%0AImagePackageCatalogers/alpmdb-cataloger-2                                        14.44m ± 4%25%0AImagePackageCatalogers/apkdb-cataloger-2                                         888.9µ ± 3%25%0AImagePackageCatalogers/binary-cataloger-2                                        252.9µ ± 3%25%0AImagePackageCatalogers/dpkgdb-cataloger-2                                        776.0µ ± 2%25%0AImagePackageCatalogers/dotnet-portable-executable-cataloger-2                    26.56µ ± 4%25%0AImagePackageCatalogers/go-module-binary-cataloger-2                              131.2µ ± 2%25%0AImagePackageCatalogers/java-cataloger-2                                          21.79m ± 2%25%0AImagePackageCatalogers/graalvm-native-image-cataloger-2                          130.7µ ± 9%25%0AImagePackageCatalogers/javascript-package-cataloger-2                            504.8µ ± 5%25%0AImagePackageCatalogers/nix-store-cataloger-2                                     374.7µ ± 4%25%0AImagePackageCatalogers/php-composer-installed-cataloger-2                        1.021m ± 2%25%0AImagePackageCatalogers/portage-cataloger-2                                       625.1µ ± 1%25%0AImagePackageCatalogers/python-package-cataloger-2                                4.173m ± 2%25%0AImagePackageCatalogers/r-package-cataloger-2                                     293.4µ ± 3%25%0AImagePackageCatalogers/rpm-db-cataloger-2                                        708.8µ ± 3%25%0AImagePackageCatalogers/ruby-gemspec-cataloger-2                                  1.179m ± 5%25%0AImagePackageCatalogers/sbom-cataloger-2                                          148.8µ ± 2%25%0Ageomean                                                                          636.3µ%0A%0A                                                              │ ./.tmp/benchmark-a0a39b6.txt │%0A                                                              │             B/op             │%0AImagePackageCatalogers/alpmdb-cataloger-2                                       5.132Mi ± 0%25%0AImagePackageCatalogers/apkdb-cataloger-2                                        184.5Ki ± 0%25%0AImagePackageCatalogers/binary-cataloger-2                                       30.76Ki ± 0%25%0AImagePackageCatalogers/dpkgdb-cataloger-2                                       141.3Ki ± 0%25%0AImagePackageCatalogers/dotnet-portable-executable-cataloger-2                   3.695Ki ± 0%25%0AImagePackageCatalogers/go-module-binary-cataloger-2                             9.906Ki ± 0%25%0AImagePackageCatalogers/java-cataloger-2                                         3.067Mi ± 0%25%0AImagePackageCatalogers/graalvm-native-image-cataloger-2                         8.594Ki ± 0%25%0AImagePackageCatalogers/javascript-package-cataloger-2                           83.81Ki ± 0%25%0AImagePackageCatalogers/nix-store-cataloger-2                                    38.93Ki ± 0%25%0AImagePackageCatalogers/php-composer-installed-cataloger-2                       155.2Ki ± 0%25%0AImagePackageCatalogers/portage-cataloger-2                                      109.8Ki ± 0%25%0AImagePackageCatalogers/python-package-cataloger-2                               986.0Ki ± 0%25%0AImagePackageCatalogers/r-package-cataloger-2                                    42.90Ki ± 0%25%0AImagePackageCatalogers/rpm-db-cataloger-2                                       171.0Ki ± 0%25%0AImagePackageCatalogers/ruby-gemspec-cataloger-2                                 123.2Ki ± 0%25%0AImagePackageCatalogers/sbom-cataloger-2                                         14.20Ki ± 0%25%0Ageomean                                                                         93.03Ki%0A%0A                                                              │ ./.tmp/benchmark-a0a39b6.txt │%0A                                                              │          allocs/op           │%0AImagePackageCatalogers/alpmdb-cataloger-2                                        88.06k ± 0%25%0AImagePackageCatalogers/apkdb-cataloger-2                                         4.034k ± 0%25%0AImagePackageCatalogers/binary-cataloger-2                                         866.0 ± 0%25%0AImagePackageCatalogers/dpkgdb-cataloger-2                                        2.911k ± 0%25%0AImagePackageCatalogers/dotnet-portable-executable-cataloger-2                     132.0 ± 0%25%0AImagePackageCatalogers/go-module-binary-cataloger-2                               281.0 ± 0%25%0AImagePackageCatalogers/java-cataloger-2                                          40.69k ± 0%25%0AImagePackageCatalogers/graalvm-native-image-cataloger-2                           228.0 ± 0%25%0AImagePackageCatalogers/javascript-package-cataloger-2                            1.264k ± 0%25%0AImagePackageCatalogers/nix-store-cataloger-2                                      820.0 ± 0%25%0AImagePackageCatalogers/php-composer-installed-cataloger-2                        3.844k ± 0%25%0AImagePackageCatalogers/portage-cataloger-2                                       2.194k ± 0%25%0AImagePackageCatalogers/python-package-cataloger-2                                16.14k ± 0%25%0AImagePackageCatalogers/r-package-cataloger-2                                      851.0 ± 0%25%0AImagePackageCatalogers/rpm-db-cataloger-2                                        3.914k ± 0%25%0AImagePackageCatalogers/ruby-gemspec-cataloger-2                                  2.291k ± 0%25%0AImagePackageCatalogers/sbom-cataloger-2                                           394.0 ± 0%25%0Ageomean                                                                          2.000k

@kzantow kzantow merged commit 4ae94c3 into main Aug 25, 2023
@kzantow kzantow deleted the fix/cyclonedx-dependencies branch August 25, 2023 16:19
This was referenced Aug 28, 2023
Closed
Closed
Closed
Closed
Merged
Closed
Closed
@ShuP1 ShuP1 mentioned this pull request Sep 4, 2023
Closed
@dependabot dependabot bot mentioned this pull request Sep 4, 2023
Closed
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@kzantow
fix: duplicate entries in cyclonedx dependency list (anchore#2063)
0396972 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spiffcs spiffcs spiffcs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Generating duplicate in relationships in CycloneDX
2 participants
@kzantow @spiffcs