Commit 104f5fc9 authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch 'fix/duplicated-bom-ref' into 'main' 

fix: support duplicated component with different bom-ref

Closes #3

See merge request to-be-continuous/tools/dt-sbom-scanner!19
parents 28813450 9b6df3ed

sbom_scanner/sbom_utils.py

+6 −2
Original line number Diff line number Diff line
@@ -4,6 +4,7 @@ from typing import Optional 
from urllib.parse import quote_plus, unquote_plus

from warnings import catch_warnings



from cyclonedx.model import Property

from cyclonedx.model.bom import Bom

from cyclonedx.model.component import Component

from cyclonedx.output import OutputFormat, make_outputter
@@ -70,10 +71,10 @@ def trim_purls(sbom: Bom, limit: int = 0) -> None: 
        for key in purl.qualifiers:

            purl.qualifiers[key] = quote_plus(unquote_plus(purl.qualifiers[key]))



        if len(str(purl)) < limit:

        purl_trunc = str(purl)

        if len(purl_trunc) < limit:

            continue



        purl_trunc = purl_orig

        while purl.qualifiers and len(purl_trunc) >= limit:

            longest_key = max(purl.qualifiers, key=lambda key: len(purl.qualifiers[key]))

            purl.qualifiers.pop(longest_key)
@@ -144,6 +145,9 @@ def merge_boms( 


        def add_component(component: Component, parent: Optional[Component]):

            if all(c.bom_ref != component.bom_ref for c in merged.components):

                if component in merged.components:

                    # allow duplicated component by adding an unique metadata

                    component.properties.add(Property(name="dt:merge-deduplicate", value=component.bom_ref.value))

                merged.components.add(component)

            if parent and component.bom_ref not in depended:

                merged.register_dependency(parent, [component])