Skip to content

Flat merging does not merge 1.5 metadata #280

New issue
New issue
Open
Open
Flat merging does not merge 1.5 metadata#280
@roman-ledermann-erni

Description

@roman-ledermann-erni
roman-ledermann-erni
opened on Feb 8, 2024

I have the following two sbom files:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:18b33571-a6fe-4367-a039-086cd7d30086",
  "metadata": {
    "authors": [
      {
        "bom-Ref": "author",
        "name": "Author",
        "email": "author@gmail.com",
        "phone": "123456789"
      }
    ],
    "tools": {
      "components": [
        {
          "type": "application",
          "author": "anchore",
          "name": "syft",
          "version": "0.103.1"
        }
      ]
    },
    "component": {
      "bom-ref": "component",
      "type": "application",
      "name": "Test Application",
      "version": "1.2.3.4"
    }
  }
}

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:3e2edd70-9f09-4a8f-8395-1e8410f21aa5",
  "version": 1,
  "metadata": {
    "timestamp": "2024-02-07T07:59:12Z",
    "tools": {
      "components": [
        {
          "type": "application",
          "author": "anchore",
          "name": "syft",
          "version": "0.103.1"
        }
      ]
    },
    "component": {
      "bom-ref": "component",
      "type": "application",
      "name": "Test Application",
      "version": "1.2.3.4"
    }
  },
  "components": [
    {
      "bom-ref": "pkg:npm/%40acuminous/bitsyntax@0.1.2?package-id=7415bc36e2fc91c8",
      "type": "library",
      "author": "Michael Bridgen <mikeb@squaremobius.net>",
      "name": "@acuminous/bitsyntax",
      "version": "0.1.2",
      "description": "Pattern-matching on byte buffers"
    }
  ]
}

If I merge these two files with cyclonedx-cli, the resulting file looks like this:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:60ee79ff-9dbd-421d-a1c9-4fd8f3ad7739",
  "version": 1,
  "metadata": {
    "component": {
      "type": "application",
      "bom-ref": "component",
      "name": "Test Application",
      "version": "1.2.3.4"
    }
  },
  "components": [
    {
      "type": "library",
      "bom-ref": "pkg:npm/%40acuminous/bitsyntax@0.1.2?package-id=7415bc36e2fc91c8",
      "author": "Michael Bridgen \u003Cmikeb@squaremobius.net\u003E",
      "name": "@acuminous/bitsyntax",
      "version": "0.1.2",
      "description": "Pattern-matching on byte buffers"
    },
    {
      "type": "application",
      "bom-ref": "component",
      "name": "Test Application",
      "version": "1.2.3.4"
    }
  ]
}

The tools only get merged if my input file uses the v1.4 schema and authors is anyway completely ignored (I am not sure if the authors should be handled by the library or the CLI).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions