When using the merge_syft_sbom.py script with a cachi2 SBOM + a Syft SBOM that contain roughly the same RPMs, no de-duplication occurs. Would it be possible - and a good idea - to de-duplicate?
Or maybe the deduplication should also take the vendor into account, so that if two RPMs have the same NEVRA but a different vendor, they would both be kept.
pkg:rpm/{vendor}/...
^ideally, pkg:rpm/fedora%20project from cachi2 should be considered equal to pkg:rpm/fedora from Syft, and same for every vendor which Syft "normalizes" and cachi2 does not. That would require investigating how Syft does the normalization.
When using the merge_syft_sbom.py script with a cachi2 SBOM + a Syft SBOM that contain roughly the same RPMs, no de-duplication occurs. Would it be possible - and a good idea - to de-duplicate?
Example merged SBOMs:
Perhaps the RPMs reported by Syft could be discarded if their NEVRA was also identified by cachi2.
Or maybe the deduplication should also take the vendor into account, so that if two RPMs have the same NEVRA but a different vendor, they would both be kept.
^ideally,
pkg:rpm/fedora%20projectfrom cachi2 should be considered equal topkg:rpm/fedorafrom Syft, and same for every vendor which Syft "normalizes" and cachi2 does not. That would require investigating how Syft does the normalization.