search

CycloneDX / cyclonedx-cli

CycloneDX CLI tool for SBOM analysis, merging, diffs and format conversions.
https://cyclonedx.org/
Apache License 2.0
317 stars 62 forks source link

Merge command looses `metadata.component` from original SBOMs #218

Open kkovaletp opened 2 years ago

kkovaletp commented 2 years ago

I've merged 2 SBOMs, but found that resulting SBOM doesn't contain metadata.component from original SBOMs. Executed command:

cyclonedx-cli merge \
  --input-files ${NGINX_REPORTS}/Details/Anchore-SBOM.xml ${NGINX_REPORTS}/Details/CI-SBOM.xml \
  --output-file ${NGINX_REPORTS}/Details/SBOM-merged.xml

If add --group Group --name Name --version 2.0, exactly this info will be in metadata.component, but info from SBOM 1 is lost anyway.

SBOM 1:

<metadata>
<timestamp>2022-03-19T01:08:07Z</timestamp>
<tools>
<tool>
<vendor>anchore</vendor>
<name>syft</name>
<version>0.42.0</version>
</tool>
</tools>
<component bom-ref="50594f5267425138" type="container">
<name>image:prod-latest</name>
<version>sha256:a1725721cde80b5c787a9208f80ea0df350ae82f229e1cab0000e1cd8e9f4046</version>
</component>
</metadata>

SBOM 2:

<metadata>
<timestamp>2022-03-18T23:11:18.271283+00:00</timestamp>
<tools>
<tool>
<vendor>CycloneDX</vendor>
<name>cyclonedx-python-lib</name>
<version>2.0.0</version>
<externalReferences>
<reference type="license">
<url>https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE</url>
</reference>
<reference type="vcs">
<url>https://github.com/CycloneDX/cyclonedx-python-lib</url>
</reference>
<reference type="release-notes">
<url>https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md</url>
</reference>
<reference type="website">
<url>https://cyclonedx.org</url>
</reference>
<reference type="documentation">
<url>https://cyclonedx.github.io/cyclonedx-python-lib/</url>
</reference>
<reference type="distribution">
<url>https://pypi.org/project/cyclonedx-python-lib/</url>
</reference>
<reference type="build-system">
<url>https://github.com/CycloneDX/cyclonedx-python-lib/actions</url>
</reference>
<reference type="issue-tracker">
<url>https://github.com/CycloneDX/cyclonedx-python-lib/issues</url>
</reference>
</externalReferences>
</tool>
<tool>
<vendor>CycloneDX</vendor>
<name>cyclonedx-bom</name>
<version>3.1.0</version>
</tool>
</tools>
</metadata>

Resulting SBOM:

<metadata>
    <tools>
      <tool>
        <vendor>anchore</vendor>
        <name>syft</name>
        <version>0.42.0</version>
        <hashes />
      </tool>
      <tool>
        <vendor>CycloneDX</vendor>
        <name>cyclonedx-python-lib</name>
        <version>2.0.0</version>
        <hashes />
        <externalReferences>
          <reference type="license">
            <url>https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE</url>
          </reference>
          <reference type="vcs">
            <url>https://github.com/CycloneDX/cyclonedx-python-lib</url>
          </reference>
          <reference type="release-notes">
            <url>https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md</url>
          </reference>
          <reference type="website">
            <url>https://cyclonedx.org</url>
          </reference>
          <reference type="documentation">
            <url>https://cyclonedx.github.io/cyclonedx-python-lib/</url>
          </reference>
          <reference type="distribution">
            <url>https://pypi.org/project/cyclonedx-python-lib/</url>
          </reference>
          <reference type="build-system">
            <url>https://github.com/CycloneDX/cyclonedx-python-lib/actions</url>
          </reference>
          <reference type="issue-tracker">
            <url>https://github.com/CycloneDX/cyclonedx-python-lib/issues</url>
          </reference>
        </externalReferences>
      </tool>
      <tool>
        <vendor>CycloneDX</vendor>
        <name>cyclonedx-bom</name>
        <version>3.1.0</version>
       <hashes />
      </tool>
    </tools>
  </metadata>
coderpatros commented 2 years ago

If you want to retain the top level metadata component you can use the --hierarchical merge option.

kkovaletp commented 2 years ago

Thanks for your tip, but --hierarchical does not what I expect: it creates SBOM, containing my original SBOMs as 2 dependencies, while I need to exactly merge them and have info from each to be in resulting file on same level