Component's group in CycloneDX BOM is ignored when importing to SW360 causing non-unique names

[jelhan]

The group property of a component in CycloneDX BOM is ignored when importing. Only the name property is taken into consideration. This causes issues for package manager, which require a group to uniquely identify a package.

Description

Many package manager support grouping packages. The group is required to uniquely identify a package.

One example is Maven (Java):

<!-- https://mvnrepository.com/artifact/org.apache.commons/commons-lang3 -->
<dependency>
    <groupId>org.apache.commons</groupId>
    <artifactId>commons-lang3</artifactId>
    <version>3.14.0</version>
</dependency>

Another example are scopes in NPM packages (JavaScript):

@sentry/browser

In CycloneDX specification each component has an optional group property. This is how the two examples above are represented in CycloneDX BOM generated by cdxgen:

{
  "group": "org.apache.commons",
  "name": "commons-lang3",
  "version": "3.13.0",
  "purl": "pkg:maven/org.apache.commons/commons-lang3@3.13.0?type=jar",
  "type": "framework",
  "bom-ref": "pkg:maven/org.apache.commons/commons-lang3@3.13.0?type=jar"
}

{
  "group": "@sentry",
  "name": "browser",
  "version": "7.89.0",
  "purl": "pkg:npm/%40sentry/browser@7.89.0",
  "type": "library",
  "bom-ref": "pkg:npm/@sentry/browser@7.89.0"
}

I removed some properties not relevant for the bug.

When importing those to SW360, components with the names commons-lang3 and browser are created in SW360. The group, which is very relevant to identify the package, is not imported at all.

Please see also here for the relevant code: https://github.com/eclipse-sw360/sw360/blob/325ac541fe04816775f66cb521d1d2d5db77cf1e/backend/src-common/src/main/java/org/eclipse/sw360/cyclonedx/CycloneDxBOMImporter.java#L790-L808

How to reproduce

1. Generate a CycloneDX BOM using [cdxgen]() for Maven or NPM project using a scoped package.
2. Import CycloneDX BOM into SW360

Expected:

• Name of created components contains group and name (e.g. org.apache.commons/commons-lang3 and @sentry/browser

Actual:

• Name of created components does not contain the group (e.g. commons-lang3 and browser)

Versions

• Version: 18.0.0 | Branch: UNKNOWN (fd29ef6) | Build time: 2024-01-15T06:30:33Z

[afsahsyeda]

Hi @jelhan , The component name is created in the format "group.name" when a CDX is imported, so it is not really ignored. The VCS field of a component is also populated when a CDX is imported making it possible to uniquely identify imported components. Example: Here auth0 is the group and auth0.js,winchan are all names.

[jelhan]

@afsahsyeda Are you importing a CycloneDX SBOM? Which version of SW360 are you using? For me it is not imported as group.name but only as name. So it would be auth0.js, idtoken-verifier, winchan, and base64-js.

An even worse example is @sentry/browser and @fullstory/browser. Both are imported as browser.

Also in CycloneDX SBOM import code of SW360 only name but not group from SBOM seems to be used for setting the component's name in SW360: https://github.com/eclipse-sw360/sw360/blob/87f0c32a0b380a3e8bf5ff658adc702192a9712a/backend/src-common/src/main/java/org/eclipse/sw360/cyclonedx/CycloneDxBOMImporter.java#L792

What you describe would be an acceptable situation. I just wonder how to get there. :smile:

[afsahsyeda]

I am on the commit dc1c49b and version 18.0.0.

[jelhan]

I am on the commit dc1c49b and version 18.0.0.

Are you able sharing a CycloneDX SBOM which you are importing with that result?

[afsahsyeda]

This should work with every CDX SBOM as long as you are on a commit >= dc1c49b. This feature was introduced quite recently. You can find the commit id at the bottom on the footer of the SW360 instance you are using like this:

[jelhan]

Our instance reports to be at fd29ef6. But neither that commit nor the commit mentioned by you seems to exist in this repository:

• https://github.com/eclipse-sw360/sw360/commit/fd29ef6
• https://github.com/eclipse-sw360/sw360/commit/dc1c49b

I will try pulling in our team, which operates the SW360 instance.

[farooqfatehaftab]

This should work with every CDX SBOM as long as you are on a commit >= dc1c49b. This feature was introduced quite recently. You can find the commit id at the bottom on the footer of the SW360 instance you are using like this:

@afsahsyeda can you please share the pr no since the commit id mentioned "dc1c49b" is not present in the repository

[afsahsyeda]

Hi @farooqfatehaftab , the most recent commit of the repository's main branch would work.

[rajaraajeshwari]

Hi @afsahsyeda We are not able to find the commit >= dc1c49b PR.

[afsahsyeda]

Hi @afsahsyeda We are not able to find the commit >= dc1c49b PR.

Hi @rajaraajeshwari , just deploy the latest version of this repository's main branch. I should not have mentioned that commit, its an internal repository's commit. Sorry for the confusion!

[jelhan]

I have imported this CycloneDX SBOM generated by cdxgen for spec version 1.4 in SW360: bom.json

It created a project with the following components in SW360:

As you can see there are multiple components named browser. One is for the package @sentry/browser. The other one for @fullstory/browser. The group (NPM scope) is not visible in the component's name in SW360.

Also on the details page for the component, the group can be only derived from the package-url imported under External Ids. This is the detail page for @fullstory/browser package:

Even worse the two independent packages @fullstory/browser and @sentry/browser are treated as the same component just with different version:

[afsahsyeda]

Hi @jelhan, You can check with @ag4ums or @smrutis1 regarding this. The latest main branch with Package portlet enabled should give you the desired results.

[farooqfatehaftab]

@afsahsyeda need one more info, if sbom file contains multiple vcs fields per component ,does import will work ?

[afsahsyeda]

@farooqfatehaftab A binary package can point to one source or vcs only. It cannot have multiple vcs. The import will fail if multiple vcs are present for a single component.