-
Notifications
You must be signed in to change notification settings - Fork 587
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependency trees get merged when they should not #3456
Comments
A couple of points (but I haven't dug too deep yet):
|
Thanks for the quick response! I tried to reproduce the behavior with SPDX, I added two Java apps to my repo and generated SBOMs for them with They both depend on the same version of Maybe I did something wrong, I don't know too much about SPDX, but I see the dependency relation between But that's probably out of scope for this issue. So yes, it looks like this is currently only a problem for CycloneDX SBOMs. |
What happened:
When collecting multiple BOMs with the
sbom-cataloger
, the dependency trees of the BOMs might get mixed up.Example:
My Rust app App1 has a direct dependency
proc-macro2 1.0.89
. This dependency has a transitive dependencyunicode-ident 1.0.13
.App2 depends on
proc-macro2 1.0.89
as well, plus also directly onunicode-ident 1.0.9
(a lower version than the transitive dependency in App1).I generate SBOMs for both apps and package the apps alongside their SBOMs in a container. When I scan the container with the latest version of Syft and enable the
sbom-cataloger
, the dependency tree in the resulting SBOM looks like this:This is because the same package ID is generated for
proc-macro2 1.0.89
and both packages are merged into one, which is understandable. But I think since the transitive dependencies can differ, even if the package itself is the same, the package ID should depend on some identifier of the cataloged SBOM as well. This effectively means the dependency trees for all cataloged SBOMs will be treated separately instead of being merged into one tree.I think that this problem is not specific to Rust and affects other languages as well, at least I can think of similar examples in Java.
The change in this PR is just to demonstrate a very hacky solution specific to CycloneDX SBOMs with a serialnumber, it's definitely not a proper solution, hence I marked this PR as draft: I just pass the
bom
object intocollectPackages
to be able to access the BOM's serialnumber. I then temporarily prepend that serialnumber to the package name to make the package ID dependant on the BOM it was found in (two equal packages in different BOMs will now have different IDs). If you think the change in general makes sense, we could discuss a proper solution.I generated the SBOM for my example app with the modified version of Syft and it looks as expected, the dependency trees are separate (
proc-macro2 1.0.89
is in there twice, with two different package IDs).What you expected to happen:
An SBOM with a dependecy tree like this:
Steps to reproduce the issue:
See https://github.com/dervoeti/syft-reproduce-dependency-overlap
Anything else we need to know?:
SPDX would need this as well, maybe all catalogers that obtain information about dependency relationships would need adjustments.
Environment:
syft version
: 1.14cat /etc/os-release
or similar): NixOS 24.05 (Uakari)The text was updated successfully, but these errors were encountered: