Closed mmarseu closed 2 months ago
The build-public command does something surprising to the .compositions array. I haven't checked in the code what exactly it does but it definitely deletes some entries that shouldn't be deleted.
.compositions
For example, use build-public with a dummy schema that doesn't match anything (see #153) on https://github.com/Festo-se/cyclonedx-editor-validator/blob/8bdf8fd2195b68c18a9f76d74146a8f8d14550a3/tests/auxiliary/test_set_sboms/test.cdx.json#L175-L189
The command shouldn't delete anything and therefore the SBOM should simply remain untouched. However, the result is
"compositions": [ { "aggregate": "incomplete", "assemblies": [ "com.company.unit/depA@4.0.2", "some-vendor/depB@1.2.3", "depC@3.2.1" ] } ],
The build-public command does something surprising to the
.compositionsarray. I haven't checked in the code what exactly it does but it definitely deletes some entries that shouldn't be deleted.For example, use build-public with a dummy schema that doesn't match anything (see #153) on https://github.com/Festo-se/cyclonedx-editor-validator/blob/8bdf8fd2195b68c18a9f76d74146a8f8d14550a3/tests/auxiliary/test_set_sboms/test.cdx.json#L175-L189
The command shouldn't delete anything and therefore the SBOM should simply remain untouched. However, the result is