SBOM: merge strategies that deduplicate by name+version are suboptimal

[chmeliik]

Description

The default merge strategies deduplicate SBOM components by name and version. This can result in losing components that are not duplicates.

For example:

• A package with the same name and version can exist in many package ecosystems. For example, just about every popular language has a requests library.
• CycloneDX components have a group attribute, which should be considered part of the package identity for some package ecosystems. E.g. JavaScript, where @types/react is a very different package than react.

For the purpose of de-duplicating components, a more appropriate identifier is typically the purl, which should uniquely identify a package.

Note that merging SBOMs by simply de-duplicating components is never optimal, as it often results in losing data from one or both SBOMs (e.g. the dependencies data). But that's a much harder problem to solve.

[github-actions[bot]]

A friendly reminder that this issue had no activity for 30 days.