-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug(sbom): Duplicate SBOM packages for multi-module pom.xml files #7824
Comments
I am not sure if trivy reports should contain duplicates. @knqyf263 wdyt? You added this logic, maybe i missed something. |
Even if the component has the same name and version, the dependency of the component could be different. graph LR;
pomRoot(com.example:root v1.0.0)
mod1(com.example:module1 v1.0.0)
mod2(com.example:module2 v2.0.0)
pomC(org.example:example-api v1.1.1)
pomE(POM E v2.0.0)
pomRoot-->mod1
pomRoot-->mod2
mod1-->pomC
pomC-->pomE
pomC'(org.example:example-api v1.1.1)
pomD'(POM D v1.0.0)
pomE'(POM E v2.1.0)
mod2-->pomC'
mod2-->pomD'
pomC'-->pomE'
pomD'-->pomE'
|
hmm... you're right. I missed that. |
I updated logic for SPDXIDs (#7837).
But i found another problem: We have 2 components with same
I thought a bit and found some ideas:
@knqyf263 Can you take a look? Perhaps you will able to see another way. |
The current package ID ( trivy/pkg/dependency/parser/julia/manifest/parse.go Lines 77 to 82 in 983ac15
So, can we use UUID or something like that only in Maven? We don't have to re-implement all parsers. |
We might need to add similar logic for But in general you are right. We can only use UUID for specific parsers
hm... i think it is possible. I will take a look. |
User found similar case for But this is strange case (there are 2 status dirs (libssl1 and libssl1.1) with same name/version/etc. (see #8273 (comment)). This looks like an error in the image construction, but on the other hand there are no restrictions for such cases, and we should solve this problem in Trivy. |
Description
mvn
handlesmodules
separate.Trivy uses same logic:
trivy/pkg/dependency/parser/java/pom/parse.go
Lines 142 to 143 in 57e24aa
But
SPDX
format doesn't allow duplicate SPDXIDs - https://spdx.github.io/spdx-spec/v2.3/package-information/#72-package-spdx-identifier-fieldSame for
CycloneDX
- https://cyclonedx.org/docs/1.6/json/#componentsSolutions
workspace
relationship for maven modules (see bug(java): dependOn contains extra dependencies forpom.xml
files with modules when using SBOM formats #7802). After these changes Trivy will userootPkg -> workspace -> directDeps -> IndirectDeps
logic.This logic is different from
mvn
logic. So may want to remove duplicates in parser.Example
Test project:
mvn
output:trivy outputs:
Discussed in #7795
The text was updated successfully, but these errors were encountered: