search

CycloneDX / cyclonedx-cli

CycloneDX CLI tool for SBOM analysis, merging, diffs and format conversions.
https://cyclonedx.org/
Apache License 2.0
280 stars 59 forks source link

Merged BOM is missing license information #227

Open proteus-russ opened 2 years ago

proteus-russ commented 2 years ago

When merging 2 BOMs license information is being lost.

Example with 2 licenses before merge:

<component type="library">
  <group>javax.xml.stream</group>
  <name>stax-api</name>
  <version>1.0-2</version>
  <description>StAX is a standard XML processing API that allows you to stream XML data from and to your application.</description>
  <hashes>
    <hash alg="MD5">7d18b63063580284c3f5734081fdc99f</hash>
    <hash alg="SHA-1">d6337b0de8b25e53e81b922352fbea9f9f57ba0b</hash>
    <hash alg="SHA-256">e8c70ebd76f982c9582a82ef82cf6ce14a7d58a4a4dca5cb7b7fc988c80089b7</hash>
    <hash alg="SHA-384">005b7398b0a42fe2f11d2a0e65f638c4479c843bedecf691b6c1795d9f95ec8b3ff629b4e8b5d62c79082e762c4b488c</hash>
    <hash alg="SHA-512">a7f337735100356f72639053734506982329015693677fafd4d2ca74c4e412caae077999cb42dee2402cc641a80c8fb027deb9d2dc6c4e141d94c9184baa9dc5</hash>
    <hash alg="SHA3-256">92a2eb0720aee125f29b1340a5571222bb6d2a50b441f839ec543a609845c68b</hash>
    <hash alg="SHA3-384">642519112968caa20b366e9f6e0cd7c3092d7da9dfe5cb47111e4dab7f025b6abf44c14805aa7d45df995a15b1c7525a</hash>
    <hash alg="SHA3-512">5be6d4726be02b83fd12db1e5c5ff871a33b097dd4b9a8d40a4466dcc194860cf76b1cbc399e4d3fe8b1e63e9b3c5f9d294fa9d85db5766b7933c346d65585b6</hash>
  </hashes>
  <licenses>
    <license>
      <name>GNU General Public Library</name>
      <url>http://www.gnu.org/licenses/gpl.txt</url>
    </license>
    <license>
      <id>CDDL-1.0</id>
      <text encoding="base64" content-type="plain/text">Q09NTU9OIERFVkVMT1BNRU5UIEFORCBESVNUUklCVVRJT04gTElDRU5TRSAoQ0RETCkKVmVyc2lvbiAxLjAKCjEuIERlZmluaXRpb25zLgoKMS4xLiDigJxDb250cmlidXRvcuKAnSBtZWFucyBlYWNoIGluZGl2aWR1YWwgb3IgZW50aXR5IHRoYXQgY3JlYXRlcyBvciBjb250cmlidXRlcyB0byB0aGUgY3JlYXRpb24gb2YgTW9kaWZpY2F0aW9ucy4KCjEuMi4g4oCcQ29udHJpYnV0b3IgVmVyc2lvbuKAnSBtZWFucyB0aGUgY29tYmluYXRpb24gb2YgdGhlIE9yaWdpbmFsIFNvZnR3YXJlLCBwcmlvciBNb2RpZmljYXRpb25zIHVzZWQgYnkgYSBDb250cmlidXRvciAoaWYgYW55KSwgYW5kIHRoZSBNb2RpZmljYXRpb25zIG1hZGUgYnkgdGhhdCBwYXJ0aWN1bGFyIENvbnRyaWJ1dG9yLgoKMS4zLiDigJxDb3ZlcmVkIFNvZnR3YXJl4oCdIG1lYW5zIChhKSB0aGUgT3JpZ2luYWwgU29mdHdhcmUsIG9yIChiKSBNb2RpZmljYXRpb25zLCBvciAoYykgdGhlIGNvbWJpbmF0aW9uIG9mIGZpbGVzIGNvbnRhaW5pbmcgT3JpZ2luYWwgU29mdHdhcmUgd2l0aCBmaWxlcyBjb250YWluaW5nIE1vZGlmaWNhdGlvbnMsIGluIGVhY2ggY2FzZSBpbmNsdWRpbmcgcG9ydGlvbnMgdGhlcmVvZi4KCjEuNC4g4oCcRXhlY3V0YWJsZeKAnSBtZWFucyB0aGUgQ292ZXJlZCBTb2Z0d2FyZSBpbiBhbnkgZm9ybSBvdGhlciB0aGFuIFNvdXJjZSBDb2RlLgoKMS41LiDigJxJbml0aWFsIERldmVsb3BlcuKAnSBtZWFucyB0aGUgaW5kaXZpZHVhbCBvciBlbnRpdHkgdGhhdCBmaXJzdCBtYWtlcyBPcmlnaW5hbCBTb2Z0d2FyZSBhdmFpbGFibGUgdW5kZXIgdGhpcyBMaWNlbnNlLgoKMS42LiDigJxMYXJnZXIgV29ya+KAnSBtZWFucyBhIHdvcmsgd2hpY2ggY29tYmluZXMgQ292ZXJlZCBTb2Z0d2FyZSBvciBwb3J0aW9ucyB0aGVyZW9mIHdpdGggY29kZSBub3QgZ292ZXJuZWQgYnkgdGhlIHRlcm1zIG9mIHRoaXMgTGljZW5zZS4KCjEuNy4g4oCcTGljZW5zZeKAnSBtZWFucyB0aGlzIGRvY3VtZW50LgoKMS44LiDigJxMaWNlbnNhYmxl4oCdIG1lYW5zIGhhdmluZyB0aGUgcmlnaHQgdG8gZ3JhbnQsIHRvIHRoZSBtYXhpbXVtIGV4dGVudCBwb3NzaWJsZSwgd2hldGhlciBhdCB0aGUgdGltZSBvZiB0aGUgaW5pdGlhbCBncmFudCBvciBzdWJzZXF1ZW50bHkgYWNxdWlyZWQsIGFueSBhbmQgYWxsIG9mIHRoZSByaWdodHMgY29udmV5ZWQgaGVyZWluLgoKMS45LiDigJxNb2RpZmljYXRpb25z4oCdIG1lYW5zIHRoZSBTb3VyY2UgQ29kZSBhbmQgRXhlY3V0YWJsZSBmb3JtIG9mIGFueSBvZiB0aGUgZm9sbG93aW5nOgoKICAgICBBLiBBbnkgZmlsZSB0aGF0IHJlc3VsdHMgZnJvbSBhbiBhZGRpdGlvbiB0bywgZGVsZXRpb24gZnJvbSBvciBtb2RpZmljYXRpb24gb2YgdGhlIGNvbnRlbnRzIG9mIGEgZmlsZSBjb250YWluaW5nIE9yaWdpbmFsIFNvZnR3YXJlIG9yIHByZXZpb3VzIE1vZGlmaWNhdGlvbnM7CgogICAgIEIuIEFueSBuZXcgZmlsZSB0aGF0IGNvbnRhaW5zIGFueSBwYXJ0IG9mIHRoZSBPcmlnaW5hbCBTb2Z0d2FyZSBvciBwcmV2aW91cyBNb2RpZmljYXRpb247IG9yCgogICAgIEMuIEFueSBuZXcgZmlsZSB0aGF0IGlzIGNvbnRyaWJ1dGVkIG9yIG90aGVyd2lzZSBtYWRlIGF2YWlsYWJsZSB1bmRlciB0aGUgdGVybXMgb2YgdGhpcyBMaWNlbnNlLgoKMS4xMC4g4oCcT3JpZ2luYWwgU29mdHdhcmXigJ0gbWVhbnMgdGhlIFNvdXJjZSBDb2RlIGFuZCBFeGVjdXRhYmxlIGZvcm0gb2YgY29tcHV0ZXIgc29mdHdhcmUgY29kZSB0aGF0IGlzIG9yaWdpbmFsbHkgcmVsZWFzZWQgdW5kZXIgdGhpcyBMaWNlbnNlLgoKMS4xMS4g4oCcUGF0ZW50IENsYWltc+KAnSBtZWFucyBhbnkgcGF0ZW50IGNsYWltKHMpLCBub3cgb3duZWQgb3IgaGVyZWFmdGVyIGFjcXVpcmVkLCBpbmNsdWRpbmcgd2l0aG91dCBsaW1pdGF0aW9uLCBtZXRob2QsIHByb2Nlc3MsIGFuZCBhcHBhcmF0dXMgY2xhaW1zLCBpbiBhbnkgcGF0ZW50IExpY2Vuc2FibGUgYnkgZ3JhbnRvci4KCjEuMTIuIOKAnFNvdXJjZSBDb2Rl4oCdIG1lYW5zIChhKSB0aGUgY29tbW9uIGZvcm0gb2YgY29tcHV0ZXIgc29mdHdhcmUgY29kZSBpbiB3aGljaCBtb2RpZmljYXRpb25zIGFyZSBtYWRlIGFuZCAoYikgYXNzb2NpYXRlZCBkb2N1bWVudGF0aW9uIGluY2x1ZGVkIGluIG9yIHdpdGggc3VjaCBjb2RlLgoKMS4xMy4g4oCcWW914oCdIChvciDigJxZb3Vy4oCdKSBtZWFucyBhbiBpbmRpdmlkdWFsIG9yIGEgbGVnYWwgZW50aXR5IGV4ZXJjaXNpbmcgcmlnaHRzIHVuZGVyLCBhbmQgY29tcGx5aW5nIHdpdGggYWxsIG9mIHRoZSB0ZXJtcyBvZiwgdGhpcyBMaWNlbnNlLiBGb3IgbGVnYWwgZW50aXRpZXMsIOKAnFlvdeKAnSBpbmNsdWRlcyBhbnkgZW50aXR5IHdoaWNoIGNvbnRyb2xzLCBpcyBjb250cm9sbGVkIGJ5LCBvciBpcyB1bmRlciBjb21tb24gY29udHJvbCB3aXRoIFlvdS4gRm9yIHB1cnBvc2VzIG9mIHRoaXMgZGVmaW5pdGlvbiwg4oCcY29udHJvbOKAnSBtZWFucyAoYSkgdGhlIHBvd2VyLCBkaXJlY3Qgb3IgaW5kaXJlY3QsIHRvIGNhdXNlIHRoZSBkaXJlY3Rpb24gb3IgbWFuYWdlbWVudCBvZiBzdWNoIGVudGl0eSwgd2hldGhlciBieSBjb250cmFjdCBvciBvdGhlcndpc2UsIG9yIChiKSBvd25lcnNoaXAgb2YgbW9yZSB0aGFuIGZpZnR5IHBlcmNlbnQgKDUwJSkgb2YgdGhlIG91dHN0YW5kaW5nIHNoYXJlcyBvciBiZW5lZmljaWFsIG93bmVyc2hpcCBvZiBzdWNoIGVudGl0eS4KCjIuIExpY2Vuc2UgR3JhbnRzLgoKMi4xLiBUaGUgSW5pdGlhbCBEZXZlbG9wZXIgR3JhbnQuCkNvbmRpdGlvbmVkIHVwb24gWW91ciBjb21wbGlhbmNlIHdpdGggU2VjdGlvbiAzLjEgYmVsb3cgYW5kIHN1YmplY3QgdG8gdGhpcmQgcGFydHkgaW50ZWxsZWN0dWFsIHByb3BlcnR5IGNsYWltcywgdGhlIEluaXRpYWwgRGV2ZWxvcGVyIGhlcmVieSBncmFudHMgWW91IGEgd29ybGQtd2lkZSwgcm95YWx0eS1mcmVlLCBub24tZXhjbHVzaXZlIGxpY2Vuc2U6CgogICAgIChhKSB1bmRlciBpbnRlbGxlY3R1YWwgcHJvcGVydHkgcmlnaHRzIChvdGhlciB0aGFuIHBhdGVudCBvciB0cmFkZW1hcmspIExpY2Vuc2FibGUgYnkgSW5pdGlhbCBEZXZlbG9wZXIsIHRvIHVzZSwgcmVwcm9kdWNlLCBtb2RpZnksIGRpc3BsYXksIHBlcmZvcm0sIHN1YmxpY2Vuc2UgYW5kIGRpc3RyaWJ1dGUgdGhlIE9yaWdpbmFsIFNvZnR3YXJlIChvciBwb3J0aW9ucyB0aGVyZW9mKSwgd2l0aCBvciB3aXRob3V0IE1vZGlmaWNhdGlvbnMsIGFuZC9vciBhcyBwYXJ0IG9mIGEgTGFyZ2VyIFdvcms7IGFuZAoKICAgICAoYikgdW5kZXIgUGF0ZW50IENsYWltcyBpbmZyaW5nZWQgYnkgdGhlIG1ha2luZywgdXNpbmcgb3Igc2VsbGluZyBvZiBPcmlnaW5hbCBTb2Z0d2FyZSwgdG8gbWFrZSwgaGF2ZSBtYWRlLCB1c2UsIHByYWN0aWNlLCBzZWxsLCBhbmQgb2ZmZXIgZm9yIHNhbGUsIGFuZC9vciBvdGhlcndpc2UgZGlzcG9zZSBvZiB0aGUgT3JpZ2luYWwgU29mdHdhcmUgKG9yIHBvcnRpb25zIHRoZXJlb2YpLgoKICAgICAoYykgVGhlIGxpY2Vuc2VzIGdyYW50ZWQgaW4gU2VjdGlvbnMgMi4xKGEpIGFuZCAoYikgYXJlIGVmZmVjdGl2ZSBvbiB0aGUgZGF0ZSBJbml0aWFsIERldmVsb3BlciBmaXJzdCBkaXN0cmlidXRlcyBvciBvdGhlcndpc2UgbWFrZXMgdGhlIE9yaWdpbmFsIFNvZnR3YXJlIGF2YWlsYWJsZSB0byBhIHRoaXJkIHBhcnR5IHVuZGVyIHRoZSB0ZXJtcyBvZiB0aGlzIExpY2Vuc2UuCgogICAgIChkKSBOb3R3aXRoc3RhbmRpbmcgU2VjdGlvbiAyLjEoYikgYWJvdmUsIG5vIHBhdGVudCBsaWNlbnNlIGlzIGdyYW50ZWQ6ICgxKSBmb3IgY29kZSB0aGF0IFlvdSBkZWxldGUgZnJvbSB0aGUgT3JpZ2luYWwgU29mdHdhcmUsIG9yICgyKSBmb3IgaW5mcmluZ2VtZW50cyBjYXVzZWQgYnk6IChpKSB0aGUgbW9kaWZpY2F0aW9uIG9mIHRoZSBPcmlnaW5hbCBTb2Z0d2FyZSwgb3IgKGlpKSB0aGUgY29tYmluYXRpb24gb2YgdGhlIE9yaWdpbmFsIFNvZnR3YXJlIHdpdGggb3RoZXIgc29mdHdhcmUgb3IgZGV2aWNlcy4KCjIuMi4gQ29udHJpYnV0b3IgR3JhbnQuCkNvbmRpdGlvbmVkIHVwb24gWW91ciBjb21wbGlhbmNlIHdpdGggU2VjdGlvbiAzLjEgYmVsb3cgYW5kIHN1YmplY3QgdG8gdGhpcmQgcGFydHkgaW50ZWxsZWN0dWFsIHByb3BlcnR5IGNsYWltcywgZWFjaCBDb250cmlidXRvciBoZXJlYnkgZ3JhbnRzIFlvdSBhIHdvcmxkLXdpZGUsIHJveWFsdHktZnJlZSwgbm9uLWV4Y2x1c2l2ZSBsaWNlbnNlOgoKICAgICAoYSkgdW5kZXIgaW50ZWxsZWN0dWFsIHByb3BlcnR5IHJpZ2h0cyAob3RoZXIgdGhhbiBwYXRlbnQgb3IgdHJhZGVtYXJrKSBMaWNlbnNhYmxlIGJ5IENvbnRyaWJ1dG9yIHRvIHVzZSwgcmVwcm9kdWNlLCBtb2RpZnksIGRpc3BsYXksIHBlcmZvcm0sIHN1YmxpY2Vuc2UgYW5kIGRpc3RyaWJ1dGUgdGhlIE1vZGlmaWNhdGlvbnMgY3JlYXRlZCBieSBzdWNoIENvbnRyaWJ1dG9yIChvciBwb3J0aW9ucyB0aGVyZW9mKSwgZWl0aGVyIG9uIGFuIHVubW9kaWZpZWQgYmFzaXMsIHdpdGggb3RoZXIgTW9kaWZpY2F0aW9ucywgYXMgQ292ZXJlZCBTb2Z0d2FyZSBhbmQvb3IgYXMgcGFydCBvZiBhIExhcmdlciBXb3JrOyBhbmQKCiAgICAgKGIpIHVuZGVyIFBhdGVudCBDbGFpbXMgaW5mcmluZ2VkIGJ5IHRoZSBtYWtpbmcsIHVzaW5nLCBvciBzZWxsaW5nIG9mIE1vZGlmaWNhdGlvbnMgbWFkZSBieSB0aGF0IENvbnRyaWJ1dG9yIGVpdGhlciBhbG9uZSBhbmQvb3IgaW4gY29tYmluYXRpb24gd2l0aCBpdHMgQ29udHJpYnV0b3IgVmVyc2lvbiAob3IgcG9ydGlvbnMgb2Ygc3VjaCBjb21iaW5hdGlvbiksIHRvIG1ha2UsIHVzZSwgc2VsbCwgb2ZmZXIgZm9yIHNhbGUsIGhhdmUgbWFkZSwgYW5kL29yIG90aGVyd2lzZSBkaXNwb3NlIG9mOiAoMSkgTW9kaWZpY2F0aW9ucyBtYWRlIGJ5IHRoYXQgQ29udHJpYnV0b3IgKG9yIHBvcnRpb25zIHRoZXJlb2YpOyBhbmQgKDIpIHRoZSBjb21iaW5hdGlvbiBvZiBNb2RpZmljYXRpb25zIG1hZGUgYnkgdGhhdCBDb250cmlidXRvciB3aXRoIGl0cyBDb250cmlidXRvciBWZXJzaW9uIChvciBwb3J0aW9ucyBvZiBzdWNoIGNvbWJpbmF0aW9uKS4KCiAgICAgKGMpIFRoZSBsaWNlbnNlcyBncmFudGVkIGluIFNlY3Rpb25zIDIuMihhKSBhbmQgMi4yKGIpIGFyZSBlZmZlY3RpdmUgb24gdGhlIGRhdGUgQ29udHJpYnV0b3IgZmlyc3QgZGlzdHJpYnV0ZXMgb3Igb3RoZXJ3aXNlIG1ha2VzIHRoZSBNb2RpZmljYXRpb25zIGF2YWlsYWJsZSB0byBhIHRoaXJkIHBhcnR5LgoKICAgICAoZCkgTm90d2l0aHN0YW5kaW5nIFNlY3Rpb24gMi4yKGIpIGFib3ZlLCBubyBwYXRlbnQgbGljZW5zZSBpcyBncmFudGVkOiAoMSkgZm9yIGFueSBjb2RlIHRoYXQgQ29udHJpYnV0b3IgaGFzIGRlbGV0ZWQgZnJvbSB0aGUgQ29udHJpYnV0b3IgVmVyc2lvbjsgKDIpIGZvciBpbmZyaW5nZW1lbnRzIGNhdXNlZCBieTogKGkpIHRoaXJkIHBhcnR5IG1vZGlmaWNhdGlvbnMgb2YgQ29udHJpYnV0b3IgVmVyc2lvbiwgb3IgKGlpKSB0aGUgY29tYmluYXRpb24gb2YgTW9kaWZpY2F0aW9ucyBtYWRlIGJ5IHRoYXQgQ29udHJpYnV0b3Igd2l0aCBvdGhlciBzb2Z0d2FyZSAoZXhjZXB0IGFzIHBhcnQgb2YgdGhlIENvbnRyaWJ1dG9yIFZlcnNpb24pIG9yIG90aGVyIGRldmljZXM7IG9yICgzKSB1bmRlciBQYXRlbnQgQ2xhaW1zIGluZnJpbmdlZCBieSBDb3ZlcmVkIFNvZnR3YXJlIGluIHRoZSBhYnNlbmNlIG9mIE1vZGlmaWNhdGlvbnMgbWFkZSBieSB0aGF0IENvbnRyaWJ1dG9yLgoKMy4gRGlzdHJpYnV0aW9uIE9ibGlnYXRpb25zLgoKMy4xLiBBdmFpbGFiaWxpdHkgb2YgU291cmNlIENvZGUuCkFueSBDb3ZlcmVkIFNvZnR3YXJlIHRoYXQgWW91IGRpc3RyaWJ1dGUgb3Igb3RoZXJ3aXNlIG1ha2UgYXZhaWxhYmxlIGluIEV4ZWN1dGFibGUgZm9ybSBtdXN0IGFsc28gYmUgbWFkZSBhdmFpbGFibGUgaW4gU291cmNlIENvZGUgZm9ybSBhbmQgdGhhdCBTb3VyY2UgQ29kZSBmb3JtIG11c3QgYmUgZGlzdHJpYnV0ZWQgb25seSB1bmRlciB0aGUgdGVybXMgb2YgdGhpcyBMaWNlbnNlLiBZb3UgbXVzdCBpbmNsdWRlIGEgY29weSBvZiB0aGlzIExpY2Vuc2Ugd2l0aCBldmVyeSBjb3B5IG9mIHRoZSBTb3VyY2UgQ29kZSBmb3JtIG9mIHRoZSBDb3ZlcmVkIFNvZnR3YXJlIFlvdSBkaXN0cmlidXRlIG9yIG90aGVyd2lzZSBtYWtlIGF2YWlsYWJsZS4gWW91IG11c3QgaW5mb3JtIHJlY2lwaWVudHMgb2YgYW55IHN1Y2ggQ292ZXJlZCBTb2Z0d2FyZSBpbiBFeGVjdXRhYmxlIGZvcm0gYXMgdG8gaG93IHRoZXkgY2FuIG9idGFpbiBzdWNoIENvdmVyZWQgU29mdHdhcmUgaW4gU291cmNlIENvZGUgZm9ybSBpbiBhIHJlYXNvbmFibGUgbWFubmVyIG9uIG9yIHRocm91Z2ggYSBtZWRpdW0gY3VzdG9tYXJpbHkgdXNlZCBmb3Igc29mdHdhcmUgZXhjaGFuZ2UuCgozLjIuIE1vZGlmaWNhdGlvbnMuClRoZSBNb2RpZmljYXRpb25zIHRoYXQgWW91IGNyZWF0ZSBvciB0byB3aGljaCBZb3UgY29udHJpYnV0ZSBhcmUgZ292ZXJuZWQgYnkgdGhlIHRlcm1zIG9mIHRoaXMgTGljZW5zZS4gWW91IHJlcHJlc2VudCB0aGF0IFlvdSBiZWxpZXZlIFlvdXIgTW9kaWZpY2F0aW9ucyBhcmUgWW91ciBvcmlnaW5hbCBjcmVhdGlvbihzKSBhbmQvb3IgWW91IGhhdmUgc3VmZmljaWVudCByaWdodHMgdG8gZ3JhbnQgdGhlIHJpZ2h0cyBjb252ZXllZCBieSB0aGlzIExpY2Vuc2UuCgozLjMuIFJlcXVpcmVkIE5vdGljZXMuCllvdSBtdXN0IGluY2x1ZGUgYSBub3RpY2UgaW4gZWFjaCBvZiBZb3VyIE1vZGlmaWNhdGlvbnMgdGhhdCBpZGVudGlmaWVzIFlvdSBhcyB0aGUgQ29udHJpYnV0b3Igb2YgdGhlIE1vZGlmaWNhdGlvbi4gWW91IG1heSBub3QgcmVtb3ZlIG9yIGFsdGVyIGFueSBjb3B5cmlnaHQsIHBhdGVudCBvciB0cmFkZW1hcmsgbm90aWNlcyBjb250YWluZWQgd2l0aGluIHRoZSBDb3ZlcmVkIFNvZnR3YXJlLCBvciBhbnkgbm90aWNlcyBvZiBsaWNlbnNpbmcgb3IgYW55IGRlc2NyaXB0aXZlIHRleHQgZ2l2aW5nIGF0dHJpYnV0aW9uIHRvIGFueSBDb250cmlidXRvciBvciB0aGUgSW5pdGlhbCBEZXZlbG9wZXIuCgozLjQuIEFwcGxpY2F0aW9uIG9mIEFkZGl0aW9uYWwgVGVybXMuCllvdSBtYXkgbm90IG9mZmVyIG9yIGltcG9zZSBhbnkgdGVybXMgb24gYW55IENvdmVyZWQgU29mdHdhcmUgaW4gU291cmNlIENvZGUgZm9ybSB0aGF0IGFsdGVycyBvciByZXN0cmljdHMgdGhlIGFwcGxpY2FibGUgdmVyc2lvbiBvZiB0aGlzIExpY2Vuc2Ugb3IgdGhlIHJlY2lwaWVudHPigJkgcmlnaHRzIGhlcmV1bmRlci4gWW91IG1heSBjaG9vc2UgdG8gb2ZmZXIsIGFuZCB0byBjaGFyZ2UgYSBmZWUgZm9yLCB3YXJyYW50eSwgc3VwcG9ydCwgaW5kZW1uaXR5IG9yIGxpYWJpbGl0eSBvYmxpZ2F0aW9ucyB0byBvbmUgb3IgbW9yZSByZWNpcGllbnRzIG9mIENvdmVyZWQgU29mdHdhcmUuIEhvd2V2ZXIsIHlvdSBtYXkgZG8gc28gb25seSBvbiBZb3VyIG93biBiZWhhbGYsIGFuZCBub3Qgb24gYmVoYWxmIG9mIHRoZSBJbml0aWFsIERldmVsb3BlciBvciBhbnkgQ29udHJpYnV0b3IuIFlvdSBtdXN0IG1ha2UgaXQgYWJzb2x1dGVseSBjbGVhciB0aGF0IGFueSBzdWNoIHdhcnJhbnR5LCBzdXBwb3J0LCBpbmRlbW5pdHkgb3IgbGlhYmlsaXR5IG9ibGlnYXRpb24gaXMgb2ZmZXJlZCBieSBZb3UgYWxvbmUsIGFuZCBZb3UgaGVyZWJ5IGFncmVlIHRvIGluZGVtbmlmeSB0aGUgSW5pdGlhbCBEZXZlbG9wZXIgYW5kIGV2ZXJ5IENvbnRyaWJ1dG9yIGZvciBhbnkgbGlhYmlsaXR5IGluY3VycmVkIGJ5IHRoZSBJbml0aWFsIERldmVsb3BlciBvciBzdWNoIENvbnRyaWJ1dG9yIGFzIGEgcmVzdWx0IG9mIHdhcnJhbnR5LCBzdXBwb3J0LCBpbmRlbW5pdHkgb3IgbGlhYmlsaXR5IHRlcm1zIFlvdSBvZmZlci4KCjMuNS4gRGlzdHJpYnV0aW9uIG9mIEV4ZWN1dGFibGUgVmVyc2lvbnMuCllvdSBtYXkgZGlzdHJpYnV0ZSB0aGUgRXhlY3V0YWJsZSBmb3JtIG9mIHRoZSBDb3ZlcmVkIFNvZnR3YXJlIHVuZGVyIHRoZSB0ZXJtcyBvZiB0aGlzIExpY2Vuc2Ugb3IgdW5kZXIgdGhlIHRlcm1zIG9mIGEgbGljZW5zZSBvZiBZb3VyIGNob2ljZSwgd2hpY2ggbWF5IGNvbnRhaW4gdGVybXMgZGlmZmVyZW50IGZyb20gdGhpcyBMaWNlbnNlLCBwcm92aWRlZCB0aGF0IFlvdSBhcmUgaW4gY29tcGxpYW5jZSB3aXRoIHRoZSB0ZXJtcyBvZiB0aGlzIExpY2Vuc2UgYW5kIHRoYXQgdGhlIGxpY2Vuc2UgZm9yIHRoZSBFeGVjdXRhYmxlIGZvcm0gZG9lcyBub3QgYXR0ZW1wdCB0byBsaW1pdCBvciBhbHRlciB0aGUgcmVjaXBpZW504oCZcyByaWdodHMgaW4gdGhlIFNvdXJjZSBDb2RlIGZvcm0gZnJvbSB0aGUgcmlnaHRzIHNldCBmb3J0aCBpbiB0aGlzIExpY2Vuc2UuIElmIFlvdSBkaXN0cmlidXRlIHRoZSBDb3ZlcmVkIFNvZnR3YXJlIGluIEV4ZWN1dGFibGUgZm9ybSB1bmRlciBhIGRpZmZlcmVudCBsaWNlbnNlLCBZb3UgbXVzdCBtYWtlIGl0IGFic29sdXRlbHkgY2xlYXIgdGhhdCBhbnkgdGVybXMgd2hpY2ggZGlmZmVyIGZyb20gdGhpcyBMaWNlbnNlIGFyZSBvZmZlcmVkIGJ5IFlvdSBhbG9uZSwgbm90IGJ5IHRoZSBJbml0aWFsIERldmVsb3BlciBvciBDb250cmlidXRvci4gWW91IGhlcmVieSBhZ3JlZSB0byBpbmRlbW5pZnkgdGhlIEluaXRpYWwgRGV2ZWxvcGVyIGFuZCBldmVyeSBDb250cmlidXRvciBmb3IgYW55IGxpYWJpbGl0eSBpbmN1cnJlZCBieSB0aGUgSW5pdGlhbCBEZXZlbG9wZXIgb3Igc3VjaCBDb250cmlidXRvciBhcyBhIHJlc3VsdCBvZiBhbnkgc3VjaCB0ZXJtcyBZb3Ugb2ZmZXIuCgozLjYuIExhcmdlciBXb3Jrcy4KWW91IG1heSBjcmVhdGUgYSBMYXJnZXIgV29yayBieSBjb21iaW5pbmcgQ292ZXJlZCBTb2Z0d2FyZSB3aXRoIG90aGVyIGNvZGUgbm90IGdvdmVybmVkIGJ5IHRoZSB0ZXJtcyBvZiB0aGlzIExpY2Vuc2UgYW5kIGRpc3RyaWJ1dGUgdGhlIExhcmdlciBXb3JrIGFzIGEgc2luZ2xlIHByb2R1Y3QuIEluIHN1Y2ggYSBjYXNlLCBZb3UgbXVzdCBtYWtlIHN1cmUgdGhlIHJlcXVpcmVtZW50cyBvZiB0aGlzIExpY2Vuc2UgYXJlIGZ1bGZpbGxlZCBmb3IgdGhlIENvdmVyZWQgU29mdHdhcmUuCgo0LiBWZXJzaW9ucyBvZiB0aGUgTGljZW5zZS4KCjQuMS4gTmV3IFZlcnNpb25zLgpTdW4gTWljcm9zeXN0ZW1zLCBJbmMuIGlzIHRoZSBpbml0aWFsIGxpY2Vuc2Ugc3Rld2FyZCBhbmQgbWF5IHB1Ymxpc2ggcmV2aXNlZCBhbmQvb3IgbmV3IHZlcnNpb25zIG9mIHRoaXMgTGljZW5zZSBmcm9tIHRpbWUgdG8gdGltZS4gRWFjaCB2ZXJzaW9uIHdpbGwgYmUgZ2l2ZW4gYSBkaXN0aW5ndWlzaGluZyB2ZXJzaW9uIG51bWJlci4gRXhjZXB0IGFzIHByb3ZpZGVkIGluIFNlY3Rpb24gNC4zLCBubyBvbmUgb3RoZXIgdGhhbiB0aGUgbGljZW5zZSBzdGV3YXJkIGhhcyB0aGUgcmlnaHQgdG8gbW9kaWZ5IHRoaXMgTGljZW5zZS4KCjQuMi4gRWZmZWN0IG9mIE5ldyBWZXJzaW9ucy4KWW91IG1heSBhbHdheXMgY29udGludWUgdG8gdXNlLCBkaXN0cmlidXRlIG9yIG90aGVyd2lzZSBtYWtlIHRoZSBDb3ZlcmVkIFNvZnR3YXJlIGF2YWlsYWJsZSB1bmRlciB0aGUgdGVybXMgb2YgdGhlIHZlcnNpb24gb2YgdGhlIExpY2Vuc2UgdW5kZXIgd2hpY2ggWW91IG9yaWdpbmFsbHkgcmVjZWl2ZWQgdGhlIENvdmVyZWQgU29mdHdhcmUuIElmIHRoZSBJbml0aWFsIERldmVsb3BlciBpbmNsdWRlcyBhIG5vdGljZSBpbiB0aGUgT3JpZ2luYWwgU29mdHdhcmUgcHJvaGliaXRpbmcgaXQgZnJvbSBiZWluZyBkaXN0cmlidXRlZCBvciBvdGhlcndpc2UgbWFkZSBhdmFpbGFibGUgdW5kZXIgYW55IHN1YnNlcXVlbnQgdmVyc2lvbiBvZiB0aGUgTGljZW5zZSwgWW91IG11c3QgZGlzdHJpYnV0ZSBhbmQgbWFrZSB0aGUgQ292ZXJlZCBTb2Z0d2FyZSBhdmFpbGFibGUgdW5kZXIgdGhlIHRlcm1zIG9mIHRoZSB2ZXJzaW9uIG9mIHRoZSBMaWNlbnNlIHVuZGVyIHdoaWNoIFlvdSBvcmlnaW5hbGx5IHJlY2VpdmVkIHRoZSBDb3ZlcmVkIFNvZnR3YXJlLiBPdGhlcndpc2UsIFlvdSBtYXkgYWxzbyBjaG9vc2UgdG8gdXNlLCBkaXN0cmlidXRlIG9yIG90aGVyd2lzZSBtYWtlIHRoZSBDb3ZlcmVkIFNvZnR3YXJlIGF2YWlsYWJsZSB1bmRlciB0aGUgdGVybXMgb2YgYW55IHN1YnNlcXVlbnQgdmVyc2lvbiBvZiB0aGUgTGljZW5zZSBwdWJsaXNoZWQgYnkgdGhlIGxpY2Vuc2Ugc3Rld2FyZC4KCjQuMy4gTW9kaWZpZWQgVmVyc2lvbnMuCldoZW4gWW91IGFyZSBhbiBJbml0aWFsIERldmVsb3BlciBhbmQgWW91IHdhbnQgdG8gY3JlYXRlIGEgbmV3IGxpY2Vuc2UgZm9yIFlvdXIgT3JpZ2luYWwgU29mdHdhcmUsIFlvdSBtYXkgY3JlYXRlIGFuZCB1c2UgYSBtb2RpZmllZCB2ZXJzaW9uIG9mIHRoaXMgTGljZW5zZSBpZiBZb3U6IChhKSByZW5hbWUgdGhlIGxpY2Vuc2UgYW5kIHJlbW92ZSBhbnkgcmVmZXJlbmNlcyB0byB0aGUgbmFtZSBvZiB0aGUgbGljZW5zZSBzdGV3YXJkIChleGNlcHQgdG8gbm90ZSB0aGF0IHRoZSBsaWNlbnNlIGRpZmZlcnMgZnJvbSB0aGlzIExpY2Vuc2UpOyBhbmQgKGIpIG90aGVyd2lzZSBtYWtlIGl0IGNsZWFyIHRoYXQgdGhlIGxpY2Vuc2UgY29udGFpbnMgdGVybXMgd2hpY2ggZGlmZmVyIGZyb20gdGhpcyBMaWNlbnNlLgoKNS4gRElTQ0xBSU1FUiBPRiBXQVJSQU5UWS4KCkNPVkVSRUQgU09GVFdBUkUgSVMgUFJPVklERUQgVU5ERVIgVEhJUyBMSUNFTlNFIE9OIEFOIOKAnEFTIElT4oCdIEJBU0lTLCBXSVRIT1VUIFdBUlJBTlRZIE9GIEFOWSBLSU5ELCBFSVRIRVIgRVhQUkVTU0VEIE9SIElNUExJRUQsIElOQ0xVRElORywgV0lUSE9VVCBMSU1JVEFUSU9OLCBXQVJSQU5USUVTIFRIQVQgVEhFIENPVkVSRUQgU09GVFdBUkUgSVMgRlJFRSBPRiBERUZFQ1RTLCBNRVJDSEFOVEFCTEUsIEZJVCBGT1IgQSBQQVJUSUNVTEFSIFBVUlBPU0UgT1IgTk9OLUlORlJJTkdJTkcuIFRIRSBFTlRJUkUgUklTSyBBUyBUTyBUSEUgUVVBTElUWSBBTkQgUEVSRk9STUFOQ0UgT0YgVEhFIENPVkVSRUQgU09GVFdBUkUgSVMgV0lUSCBZT1UuIFNIT1VMRCBBTlkgQ09WRVJFRCBTT0ZUV0FSRSBQUk9WRSBERUZFQ1RJVkUgSU4gQU5ZIFJFU1BFQ1QsIFlPVSAoTk9UIFRIRSBJTklUSUFMIERFVkVMT1BFUiBPUiBBTlkgT1RIRVIgQ09OVFJJQlVUT1IpIEFTU1VNRSBUSEUgQ09TVCBPRiBBTlkgTkVDRVNTQVJZIFNFUlZJQ0lORywgUkVQQUlSIE9SIENPUlJFQ1RJT04uIFRISVMgRElTQ0xBSU1FUiBPRiBXQVJSQU5UWSBDT05TVElUVVRFUyBBTiBFU1NFTlRJQUwgUEFSVCBPRiBUSElTIExJQ0VOU0UuIE5PIFVTRSBPRiBBTlkgQ09WRVJFRCBTT0ZUV0FSRSBJUyBBVVRIT1JJWkVEIEhFUkVVTkRFUiBFWENFUFQgVU5ERVIgVEhJUyBESVNDTEFJTUVSLgoKNi4gVEVSTUlOQVRJT04uCgo2LjEuIFRoaXMgTGljZW5zZSBhbmQgdGhlIHJpZ2h0cyBncmFudGVkIGhlcmV1bmRlciB3aWxsIHRlcm1pbmF0ZSBhdXRvbWF0aWNhbGx5IGlmIFlvdSBmYWlsIHRvIGNvbXBseSB3aXRoIHRlcm1zIGhlcmVpbiBhbmQgZmFpbCB0byBjdXJlIHN1Y2ggYnJlYWNoIHdpdGhpbiAzMCBkYXlzIG9mIGJlY29taW5nIGF3YXJlIG9mIHRoZSBicmVhY2guIFByb3Zpc2lvbnMgd2hpY2gsIGJ5IHRoZWlyIG5hdHVyZSwgbXVzdCByZW1haW4gaW4gZWZmZWN0IGJleW9uZCB0aGUgdGVybWluYXRpb24gb2YgdGhpcyBMaWNlbnNlIHNoYWxsIHN1cnZpdmUuCgo2LjIuIElmIFlvdSBhc3NlcnQgYSBwYXRlbnQgaW5mcmluZ2VtZW50IGNsYWltIChleGNsdWRpbmcgZGVjbGFyYXRvcnkganVkZ21lbnQgYWN0aW9ucykgYWdhaW5zdCBJbml0aWFsIERldmVsb3BlciBvciBhIENvbnRyaWJ1dG9yICh0aGUgSW5pdGlhbCBEZXZlbG9wZXIgb3IgQ29udHJpYnV0b3IgYWdhaW5zdCB3aG9tIFlvdSBhc3NlcnQgc3VjaCBjbGFpbSBpcyByZWZlcnJlZCB0byBhcyDigJxQYXJ0aWNpcGFudOKAnSkgYWxsZWdpbmcgdGhhdCB0aGUgUGFydGljaXBhbnQgU29mdHdhcmUgKG1lYW5pbmcgdGhlIENvbnRyaWJ1dG9yIFZlcnNpb24gd2hlcmUgdGhlIFBhcnRpY2lwYW50IGlzIGEgQ29udHJpYnV0b3Igb3IgdGhlIE9yaWdpbmFsIFNvZnR3YXJlIHdoZXJlIHRoZSBQYXJ0aWNpcGFudCBpcyB0aGUgSW5pdGlhbCBEZXZlbG9wZXIpIGRpcmVjdGx5IG9yIGluZGlyZWN0bHkgaW5mcmluZ2VzIGFueSBwYXRlbnQsIHRoZW4gYW55IGFuZCBhbGwgcmlnaHRzIGdyYW50ZWQgZGlyZWN0bHkgb3IgaW5kaXJlY3RseSB0byBZb3UgYnkgc3VjaCBQYXJ0aWNpcGFudCwgdGhlIEluaXRpYWwgRGV2ZWxvcGVyIChpZiB0aGUgSW5pdGlhbCBEZXZlbG9wZXIgaXMgbm90IHRoZSBQYXJ0aWNpcGFudCkgYW5kIGFsbCBDb250cmlidXRvcnMgdW5kZXIgU2VjdGlvbnMgMi4xIGFuZC9vciAyLjIgb2YgdGhpcyBMaWNlbnNlIHNoYWxsLCB1cG9uIDYwIGRheXMgbm90aWNlIGZyb20gUGFydGljaXBhbnQgdGVybWluYXRlIHByb3NwZWN0aXZlbHkgYW5kIGF1dG9tYXRpY2FsbHkgYXQgdGhlIGV4cGlyYXRpb24gb2Ygc3VjaCA2MCBkYXkgbm90aWNlIHBlcmlvZCwgdW5sZXNzIGlmIHdpdGhpbiBzdWNoIDYwIGRheSBwZXJpb2QgWW91IHdpdGhkcmF3IFlvdXIgY2xhaW0gd2l0aCByZXNwZWN0IHRvIHRoZSBQYXJ0aWNpcGFudCBTb2Z0d2FyZSBhZ2FpbnN0IHN1Y2ggUGFydGljaXBhbnQgZWl0aGVyIHVuaWxhdGVyYWxseSBvciBwdXJzdWFudCB0byBhIHdyaXR0ZW4gYWdyZWVtZW50IHdpdGggUGFydGljaXBhbnQuCgo2LjMuIEluIHRoZSBldmVudCBvZiB0ZXJtaW5hdGlvbiB1bmRlciBTZWN0aW9ucyA2LjEgb3IgNi4yIGFib3ZlLCBhbGwgZW5kIHVzZXIgbGljZW5zZXMgdGhhdCBoYXZlIGJlZW4gdmFsaWRseSBncmFudGVkIGJ5IFlvdSBvciBhbnkgZGlzdHJpYnV0b3IgaGVyZXVuZGVyIHByaW9yIHRvIHRlcm1pbmF0aW9uIChleGNsdWRpbmcgbGljZW5zZXMgZ3JhbnRlZCB0byBZb3UgYnkgYW55IGRpc3RyaWJ1dG9yKSBzaGFsbCBzdXJ2aXZlIHRlcm1pbmF0aW9uLgoKNy4gTElNSVRBVElPTiBPRiBMSUFCSUxJVFkuCgpVTkRFUiBOTyBDSVJDVU1TVEFOQ0VTIEFORCBVTkRFUiBOTyBMRUdBTCBUSEVPUlksIFdIRVRIRVIgVE9SVCAoSU5DTFVESU5HIE5FR0xJR0VOQ0UpLCBDT05UUkFDVCwgT1IgT1RIRVJXSVNFLCBTSEFMTCBZT1UsIFRIRSBJTklUSUFMIERFVkVMT1BFUiwgQU5ZIE9USEVSIENPTlRSSUJVVE9SLCBPUiBBTlkgRElTVFJJQlVUT1IgT0YgQ09WRVJFRCBTT0ZUV0FSRSwgT1IgQU5ZIFNVUFBMSUVSIE9GIEFOWSBPRiBTVUNIIFBBUlRJRVMsIEJFIExJQUJMRSBUTyBBTlkgUEVSU09OIEZPUiBBTlkgSU5ESVJFQ1QsIFNQRUNJQUwsIElOQ0lERU5UQUwsIE9SIENPTlNFUVVFTlRJQUwgREFNQUdFUyBPRiBBTlkgQ0hBUkFDVEVSIElOQ0xVRElORywgV0lUSE9VVCBMSU1JVEFUSU9OLCBEQU1BR0VTIEZPUiBMT1NUIFBST0ZJVFMsIExPU1MgT0YgR09PRFdJTEwsIFdPUksgU1RPUFBBR0UsIENPTVBVVEVSIEZBSUxVUkUgT1IgTUFMRlVOQ1RJT04sIE9SIEFOWSBBTkQgQUxMIE9USEVSIENPTU1FUkNJQUwgREFNQUdFUyBPUiBMT1NTRVMsIEVWRU4gSUYgU1VDSCBQQVJUWSBTSEFMTCBIQVZFIEJFRU4gSU5GT1JNRUQgT0YgVEhFIFBPU1NJQklMSVRZIE9GIFNVQ0ggREFNQUdFUy4gVEhJUyBMSU1JVEFUSU9OIE9GIExJQUJJTElUWSBTSEFMTCBOT1QgQVBQTFkgVE8gTElBQklMSVRZIEZPUiBERUFUSCBPUiBQRVJTT05BTCBJTkpVUlkgUkVTVUxUSU5HIEZST00gU1VDSCBQQVJUWeKAmVMgTkVHTElHRU5DRSBUTyBUSEUgRVhURU5UIEFQUExJQ0FCTEUgTEFXIFBST0hJQklUUyBTVUNIIExJTUlUQVRJT04uIFNPTUUgSlVSSVNESUNUSU9OUyBETyBOT1QgQUxMT1cgVEhFIEVYQ0xVU0lPTiBPUiBMSU1JVEFUSU9OIE9GIElOQ0lERU5UQUwgT1IgQ09OU0VRVUVOVElBTCBEQU1BR0VTLCBTTyBUSElTIEVYQ0xVU0lPTiBBTkQgTElNSVRBVElPTiBNQVkgTk9UIEFQUExZIFRPIFlPVS4KCjguIFUuUy4gR09WRVJOTUVOVCBFTkQgVVNFUlMuCgpUaGUgQ292ZXJlZCBTb2Z0d2FyZSBpcyBhIOKAnGNvbW1lcmNpYWwgaXRlbSzigJ0gYXMgdGhhdCB0ZXJtIGlzIGRlZmluZWQgaW4gNDggQy5GLlIuIDIuMTAxIChPY3QuIDE5OTUpLCBjb25zaXN0aW5nIG9mIOKAnGNvbW1lcmNpYWwgY29tcHV0ZXIgc29mdHdhcmXigJ0gKGFzIHRoYXQgdGVybSBpcyBkZWZpbmVkIGF0IDQ4IEMuRi5SLiDCpyAyNTIuMjI3LTcwMTQoYSkoMSkpIGFuZCDigJxjb21tZXJjaWFsIGNvbXB1dGVyIHNvZnR3YXJlIGRvY3VtZW50YXRpb27igJ0gYXMgc3VjaCB0ZXJtcyBhcmUgdXNlZCBpbiA0OCBDLkYuUi4gMTIuMjEyIChTZXB0LiAxOTk1KS4gQ29uc2lzdGVudCB3aXRoIDQ4IEMuRi5SLiAxMi4yMTIgYW5kIDQ4IEMuRi5SLiAyMjcuNzIwMi0xIHRocm91Z2ggMjI3LjcyMDItNCAoSnVuZSAxOTk1KSwgYWxsIFUuUy4gR292ZXJubWVudCBFbmQgVXNlcnMgYWNxdWlyZSBDb3ZlcmVkIFNvZnR3YXJlIHdpdGggb25seSB0aG9zZSByaWdodHMgc2V0IGZvcnRoIGhlcmVpbi4gVGhpcyBVLlMuIEdvdmVybm1lbnQgUmlnaHRzIGNsYXVzZSBpcyBpbiBsaWV1IG9mLCBhbmQgc3VwZXJzZWRlcywgYW55IG90aGVyIEZBUiwgREZBUiwgb3Igb3RoZXIgY2xhdXNlIG9yIHByb3Zpc2lvbiB0aGF0IGFkZHJlc3NlcyBHb3Zlcm5tZW50IHJpZ2h0cyBpbiBjb21wdXRlciBzb2Z0d2FyZSB1bmRlciB0aGlzIExpY2Vuc2UuCgo5LiBNSVNDRUxMQU5FT1VTLgoKVGhpcyBMaWNlbnNlIHJlcHJlc2VudHMgdGhlIGNvbXBsZXRlIGFncmVlbWVudCBjb25jZXJuaW5nIHN1YmplY3QgbWF0dGVyIGhlcmVvZi4gSWYgYW55IHByb3Zpc2lvbiBvZiB0aGlzIExpY2Vuc2UgaXMgaGVsZCB0byBiZSB1bmVuZm9yY2VhYmxlLCBzdWNoIHByb3Zpc2lvbiBzaGFsbCBiZSByZWZvcm1lZCBvbmx5IHRvIHRoZSBleHRlbnQgbmVjZXNzYXJ5IHRvIG1ha2UgaXQgZW5mb3JjZWFibGUuIFRoaXMgTGljZW5zZSBzaGFsbCBiZSBnb3Zlcm5lZCBieSB0aGUgbGF3IG9mIHRoZSBqdXJpc2RpY3Rpb24gc3BlY2lmaWVkIGluIGEgbm90aWNlIGNvbnRhaW5lZCB3aXRoaW4gdGhlIE9yaWdpbmFsIFNvZnR3YXJlIChleGNlcHQgdG8gdGhlIGV4dGVudCBhcHBsaWNhYmxlIGxhdywgaWYgYW55LCBwcm92aWRlcyBvdGhlcndpc2UpLCBleGNsdWRpbmcgc3VjaCBqdXJpc2RpY3Rpb27igJlzIGNvbmZsaWN0LW9mLWxhdyBwcm92aXNpb25zLiBBbnkgbGl0aWdhdGlvbiByZWxhdGluZyB0byB0aGlzIExpY2Vuc2Ugc2hhbGwgYmUgc3ViamVjdCB0byB0aGUganVyaXNkaWN0aW9uIG9mIHRoZSBjb3VydHMgbG9jYXRlZCBpbiB0aGUganVyaXNkaWN0aW9uIGFuZCB2ZW51ZSBzcGVjaWZpZWQgaW4gYSBub3RpY2UgY29udGFpbmVkIHdpdGhpbiB0aGUgT3JpZ2luYWwgU29mdHdhcmUsIHdpdGggdGhlIGxvc2luZyBwYXJ0eSByZXNwb25zaWJsZSBmb3IgY29zdHMsIGluY2x1ZGluZywgd2l0aG91dCBsaW1pdGF0aW9uLCBjb3VydCBjb3N0cyBhbmQgcmVhc29uYWJsZSBhdHRvcm5leXPigJkgZmVlcyBhbmQgZXhwZW5zZXMuIFRoZSBhcHBsaWNhdGlvbiBvZiB0aGUgVW5pdGVkIE5hdGlvbnMgQ29udmVudGlvbiBvbiBDb250cmFjdHMgZm9yIHRoZSBJbnRlcm5hdGlvbmFsIFNhbGUgb2YgR29vZHMgaXMgZXhwcmVzc2x5IGV4Y2x1ZGVkLiBBbnkgbGF3IG9yIHJlZ3VsYXRpb24gd2hpY2ggcHJvdmlkZXMgdGhhdCB0aGUgbGFuZ3VhZ2Ugb2YgYSBjb250cmFjdCBzaGFsbCBiZSBjb25zdHJ1ZWQgYWdhaW5zdCB0aGUgZHJhZnRlciBzaGFsbCBub3QgYXBwbHkgdG8gdGhpcyBMaWNlbnNlLiBZb3UgYWdyZWUgdGhhdCBZb3UgYWxvbmUgYXJlIHJlc3BvbnNpYmxlIGZvciBjb21wbGlhbmNlIHdpdGggdGhlIFVuaXRlZCBTdGF0ZXMgZXhwb3J0IGFkbWluaXN0cmF0aW9uIHJlZ3VsYXRpb25zIChhbmQgdGhlIGV4cG9ydCBjb250cm9sIGxhd3MgYW5kIHJlZ3VsYXRpb24gb2YgYW55IG90aGVyIGNvdW50cmllcykgd2hlbiBZb3UgdXNlLCBkaXN0cmlidXRlIG9yIG90aGVyd2lzZSBtYWtlIGF2YWlsYWJsZSBhbnkgQ292ZXJlZCBTb2Z0d2FyZS4KCjEwLiBSRVNQT05TSUJJTElUWSBGT1IgQ0xBSU1TLgoKQXMgYmV0d2VlbiBJbml0aWFsIERldmVsb3BlciBhbmQgdGhlIENvbnRyaWJ1dG9ycywgZWFjaCBwYXJ0eSBpcyByZXNwb25zaWJsZSBmb3IgY2xhaW1zIGFuZCBkYW1hZ2VzIGFyaXNpbmcsIGRpcmVjdGx5IG9yIGluZGlyZWN0bHksIG91dCBvZiBpdHMgdXRpbGl6YXRpb24gb2YgcmlnaHRzIHVuZGVyIHRoaXMgTGljZW5zZSBhbmQgWW91IGFncmVlIHRvIHdvcmsgd2l0aCBJbml0aWFsIERldmVsb3BlciBhbmQgQ29udHJpYnV0b3JzIHRvIGRpc3RyaWJ1dGUgc3VjaCByZXNwb25zaWJpbGl0eSBvbiBhbiBlcXVpdGFibGUgYmFzaXMuIE5vdGhpbmcgaGVyZWluIGlzIGludGVuZGVkIG9yIHNoYWxsIGJlIGRlZW1lZCB0byBjb25zdGl0dXRlIGFueSBhZG1pc3Npb24gb2YgbGlhYmlsaXR5Lgo=</text>
    </license>
  </licenses>
  <purl>pkg:maven/javax.xml.stream/stax-api@1.0-2?type=jar</purl>
  <modified>false</modified>
</component>

After merge operation:

 <component type="library">
  <group>javax.xml.stream</group>
  <name>stax-api</name>
  <version>1.0-2</version>
  <description>StAX is a standard XML processing API that allows you to stream XML data from and to your application.</description>
  <hashes>
    <hash alg="MD5">7d18b63063580284c3f5734081fdc99f</hash>
    <hash alg="SHA-1">d6337b0de8b25e53e81b922352fbea9f9f57ba0b</hash>
    <hash alg="SHA-256">e8c70ebd76f982c9582a82ef82cf6ce14a7d58a4a4dca5cb7b7fc988c80089b7</hash>
    <hash alg="SHA-384">005b7398b0a42fe2f11d2a0e65f638c4479c843bedecf691b6c1795d9f95ec8b3ff629b4e8b5d62c79082e762c4b488c</hash>
    <hash alg="SHA-512">a7f337735100356f72639053734506982329015693677fafd4d2ca74c4e412caae077999cb42dee2402cc641a80c8fb027deb9d2dc6c4e141d94c9184baa9dc5</hash>
    <hash alg="SHA3-256">92a2eb0720aee125f29b1340a5571222bb6d2a50b441f839ec543a609845c68b</hash>
    <hash alg="SHA3-384">642519112968caa20b366e9f6e0cd7c3092d7da9dfe5cb47111e4dab7f025b6abf44c14805aa7d45df995a15b1c7525a</hash>
    <hash alg="SHA3-512">5be6d4726be02b83fd12db1e5c5ff871a33b097dd4b9a8d40a4466dcc194860cf76b1cbc399e4d3fe8b1e63e9b3c5f9d294fa9d85db5766b7933c346d65585b6</hash>
  </hashes>
  <licenses>
    <license>
      <name>GNU General Public Library</name>
      <url>http://www.gnu.org/licenses/gpl.txt</url>
    </license>
  </licenses>
  <purl>pkg:maven/javax.xml.stream/stax-api@1.0-2?type=jar</purl>
  <modified>false</modified>
</component>

Another example would be pkg:maven/org.eclipse.jetty/jetty-jmx@9.4.44.v20210927?type=jar It has 2 licenses: Apache 2 and EPL 1. After the merge it just has Apache 2.

khuey commented 1 year ago

The root cause of this is mentioned in CycloneDX/cyclonedx-dotnet-library#187