Open jelhan opened 7 months ago
Hi @jelhan , The component name is created in the format "group.name" when a CDX is imported, so it is not really ignored. The VCS field of a component is also populated when a CDX is imported making it possible to uniquely identify imported components. Example: Here auth0 is the group and auth0.js,winchan are all names.
@afsahsyeda Are you importing a CycloneDX SBOM? Which version of SW360 are you using? For me it is not imported as group.name
but only as name
. So it would be auth0.js
, idtoken-verifier
, winchan
, and base64-js
.
An even worse example is @sentry/browser
and @fullstory/browser
. Both are imported as browser
.
Also in CycloneDX SBOM import code of SW360 only name
but not group
from SBOM seems to be used for setting the component's name in SW360: https://github.com/eclipse-sw360/sw360/blob/87f0c32a0b380a3e8bf5ff658adc702192a9712a/backend/src-common/src/main/java/org/eclipse/sw360/cyclonedx/CycloneDxBOMImporter.java#L792
What you describe would be an acceptable situation. I just wonder how to get there. :smile:
I am on the commit dc1c49b and version 18.0.0.
I am on the commit dc1c49b and version 18.0.0.
Are you able sharing a CycloneDX SBOM which you are importing with that result?
This should work with every CDX SBOM as long as you are on a commit >= dc1c49b. This feature was introduced quite recently. You can find the commit id at the bottom on the footer of the SW360 instance you are using like this:
Our instance reports to be at fd29ef6
. But neither that commit nor the commit mentioned by you seems to exist in this repository:
I will try pulling in our team, which operates the SW360 instance.
This should work with every CDX SBOM as long as you are on a commit >= dc1c49b. This feature was introduced quite recently. You can find the commit id at the bottom on the footer of the SW360 instance you are using like this:
@afsahsyeda can you please share the pr no since the commit id mentioned "dc1c49b" is not present in the repository
Hi @farooqfatehaftab , the most recent commit of the repository's main branch would work.
Hi @afsahsyeda We are not able to find the commit >= dc1c49b PR.
Hi @afsahsyeda We are not able to find the commit >= dc1c49b PR.
Hi @rajaraajeshwari , just deploy the latest version of this repository's main branch. I should not have mentioned that commit, its an internal repository's commit. Sorry for the confusion!
I have imported this CycloneDX SBOM generated by cdxgen
for spec version 1.4 in SW360:
bom.json
It created a project with the following components in SW360:
As you can see there are multiple components named browser
. One is for the package @sentry/browser
. The other one for @fullstory/browser
. The group (NPM scope) is not visible in the component's name in SW360.
Also on the details page for the component, the group can be only derived from the package-url
imported under External Ids. This is the detail page for @fullstory/browser
package:
Even worse the two independent packages @fullstory/browser
and @sentry/browser
are treated as the same component just with different version:
Hi @jelhan, You can check with @ag4ums or @smrutis1 regarding this. The latest main branch with Package portlet enabled should give you the desired results.
@afsahsyeda need one more info, if sbom file contains multiple vcs fields per component ,does import will work ?
@farooqfatehaftab A binary package can point to one source or vcs only. It cannot have multiple vcs. The import will fail if multiple vcs are present for a single component.
The
group
property of a component in CycloneDX BOM is ignored when importing. Only thename
property is taken into consideration. This causes issues for package manager, which require a group to uniquely identify a package.Description
Many package manager support grouping packages. The group is required to uniquely identify a package.
One example is Maven (Java):
Another example are scopes in NPM packages (JavaScript):
In CycloneDX specification each component has an optional
group
property. This is how the two examples above are represented in CycloneDX BOM generated by cdxgen:I removed some properties not relevant for the bug.
When importing those to SW360, components with the names
commons-lang3
andbrowser
are created in SW360. The group, which is very relevant to identify the package, is not imported at all.Please see also here for the relevant code: https://github.com/eclipse-sw360/sw360/blob/325ac541fe04816775f66cb521d1d2d5db77cf1e/backend/src-common/src/main/java/org/eclipse/sw360/cyclonedx/CycloneDxBOMImporter.java#L790-L808
How to reproduce
Expected:
org.apache.commons/commons-lang3
and@sentry/browser
Actual:
commons-lang3
andbrowser
)Versions