bug(cyclonedx): duplicates in dependsOn array when scanned SBOM contains components with same name + version but different bomRef/SPDXID. #9815
Description
Description
SBOM formats allow multiple components with different bomRef/SPDXID, but with the same name + version.
Example from docker.io/bitnamilegacy/postgresql:15.4.0-debian-11-r45:
{
"name": "org.postgresql:pljava",
"SPDXID": "SPDXRef-Package-200e4c8a9fedcdb5",
"versionInfo": "1.6.6",
"supplier": "NOASSERTION",
"downloadLocation": "NONE",
"licenseConcluded": "NONE",
"licenseDeclared": "NONE",
"copyrightText": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE_MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:maven/org.postgresql/[email protected]"
}
],
"filesAnalyzed": false
},
{
"name": "org.postgresql:pljava",
"SPDXID": "SPDXRef-Package-c30a860d16f62e1b",
"versionInfo": "1.6.6",
"supplier": "NOASSERTION",
"downloadLocation": "NONE",
"licenseConcluded": "NONE",
"licenseDeclared": "NONE",
"copyrightText": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE_MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:maven/org.postgresql/[email protected]"
}
],
"filesAnalyzed": false
},In the sbom package we currently use the default logic to generate package IDs:
Line 207 in d020f26
As a result, these components receive the same ID, since the ID does not include SPDXID/bomRef.
When constructing a dependency tree, Trivy treats such components as duplicates and loses part of the structure.
More details:
#9802 (comment)
Proposed Solution
We should use the component’s bomRef or SPDXID as the Package.ID for packages parsed from SBOM files.
However:
• bomRef is optional for CycloneDX,
• so if a component has no bomRef, we may need to generate a UUID as a fallback.
This ensures that all components remain unique and dependency graphs remain correct.