Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: merge copies array if nested components #343

Closed
italvi opened this issue Dec 17, 2024 · 1 comment
Closed

fix: merge copies array if nested components #343

italvi opened this issue Dec 17, 2024 · 1 comment
Labels
bug Something isn't working
Milestone
1.0.0

Comments

@italvi
Copy link
Collaborator

italvi commented Dec 17, 2024

During testing the hierarchical flag, I observed the following bug:
If I have an SBOM with components within a component of components, i.e.

{
    "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
    "bomFormat": "CycloneDX",
    "specVersion": "1.4",
    "version": 1,
    "metadata": {
        "tools": [
            {
                "vendor": "@cyclonedx",
                "name": "cyclonedx-library",
                "version": "1.13.3",
                "externalReferences": [
                    {
                        "url": "https://github.com/CycloneDX/cyclonedx-javascript-library/issues",
                        "type": "issue-tracker",
                        "comment": "as detected from PackageJson property \"bugs.url\""
                    },
                    {
                        "url": "git+https://github.com/CycloneDX/cyclonedx-javascript-library.git",
                        "type": "vcs",
                        "comment": "as detected from PackageJson property \"repository.url\""
                    },
                    {
                        "url": "https://github.com/CycloneDX/cyclonedx-javascript-library#readme",
                        "type": "website",
                        "comment": "as detected from PackageJson property \"homepage\""
                    }
                ]
            },
            {
                "vendor": "@cyclonedx",
                "name": "cyclonedx-npm",
                "version": "1.9.2",
                "externalReferences": [
                    {
                        "url": "https://github.com/CycloneDX/cyclonedx-node-npm/issues",
                        "type": "issue-tracker",
                        "comment": "as detected from PackageJson property \"bugs.url\""
                    },
                    {
                        "url": "git+https://github.com/CycloneDX/cyclonedx-node-npm.git",
                        "type": "vcs",
                        "comment": "as detected from PackageJson property \"repository.url\""
                    },
                    {
                        "url": "https://github.com/CycloneDX/cyclonedx-node-npm#readme",
                        "type": "website",
                        "comment": "as detected from PackageJson property \"homepage\""
                    }
                ]
            }
        ],
        "component": {
            "type": "application",
            "name": "juice-shop",
            "version": "14.1.1",
            "bom-ref": "[email protected]",
            "author": "Björn Kimminich",
            "description": "Probably the most modern and sophisticated insecure web application",
            "licenses": [
                {
                    "license": {
                        "id": "MIT"
                    }
                }
            ],
            "purl": "pkg:npm/[email protected]?vcs_url=git%2Bhttps%3A//github.com/juice-shop/juice-shop.git",
            "externalReferences": [
                {
                    "url": "https://github.com/juice-shop/juice-shop/issues",
                    "type": "issue-tracker",
                    "comment": "as detected from PackageJson property \"bugs.url\""
                },
                {
                    "url": "git+https://github.com/juice-shop/juice-shop.git",
                    "type": "vcs",
                    "comment": "as detected from PackageJson property \"repository.url\""
                },
                {
                    "url": "https://owasp-juice.shop",
                    "type": "website",
                    "comment": "as detected from PackageJson property \"homepage\""
                }
            ],
            "properties": [
                {
                    "name": "cdx:npm:package:path",
                    "value": ""
                },
                {
                    "name": "cdx:npm:package:private",
                    "value": "true"
                }
            ]
        }
    },
    "components": [
        {
            "type": "library",
            "name": "node-pre-gyp",
            "group": "@mapbox",
            "version": "1.0.10",
            "bom-ref": "@mapbox/[email protected]",
            "author": "Dane Springmeyer",
            "description": "Node.js native addon binary install tool",
            "hashes": [
                {
                    "alg": "SHA-512",
                    "content": "e324a8e028f34adba9accc24df91f9a4f6e4ca68efd521778c62e3eab007a7fc53fd117b4cbedb77d0939b5c43638f4adaa17b8e647f83b93e4a42c44cfea8a4"
                }
            ],
            "licenses": [
                {
                    "license": {
                        "id": "BSD-3-Clause"
                    }
                }
            ],
            "purl": "pkg:npm/%40mapbox/[email protected]",
            "externalReferences": [
                {
                    "url": "https://registry.npmjs.org/@mapbox/node-pre-gyp/-/node-pre-gyp-1.0.10.tgz",
                    "type": "distribution",
                    "comment": "as detected from npm-ls property \"resolved\""
                },
                {
                    "url": "https://github.com/mapbox/node-pre-gyp/issues",
                    "type": "issue-tracker",
                    "comment": "as detected from PackageJson property \"bugs.url\""
                },
                {
                    "url": "git://github.com/mapbox/node-pre-gyp.git",
                    "type": "vcs",
                    "comment": "as detected from PackageJson property \"repository.url\""
                },
                {
                    "url": "https://github.com/mapbox/node-pre-gyp#readme",
                    "type": "website",
                    "comment": "as detected from PackageJson property \"homepage\""
                }
            ],
            "properties": [
                {
                    "name": "cdx:npm:package:path",
                    "value": "node_modules/@mapbox/node-pre-gyp"
                }
            ],
            "components": [
                {
                    "type": "library",
                    "name": "ansi-regex",
                    "version": "5.0.1",
                    "bom-ref": "@mapbox/[email protected]|[email protected]",
                    "author": "Sindre Sorhus",
                    "description": "Regular expression for matching ANSI escape codes",
                    "hashes": [
                        {
                            "alg": "SHA-512",
                            "content": "aae2505e54d25062f62c7f52517a3c570b18e2ca1a9e1828e8b3529bce04d4b05c13cb373b4c29762473c91f73fd9649325316bf7eea38e6fda5d26531410a15"
                        }
                    ],
                    "licenses": [
                        {
                            "license": {
                                "id": "MIT"
                            }
                        }
                    ],
                    "purl": "pkg:npm/[email protected]",
                    "externalReferences": [
                        {
                            "url": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
                            "type": "distribution",
                            "comment": "as detected from npm-ls property \"resolved\""
                        },
                        {
                            "url": "https://github.com/chalk/ansi-regex/issues",
                            "type": "issue-tracker",
                            "comment": "as detected from PackageJson property \"bugs.url\""
                        },
                        {
                            "url": "git+https://github.com/chalk/ansi-regex.git",
                            "type": "vcs",
                            "comment": "as detected from PackageJson property \"repository.url\""
                        },
                        {
                            "url": "https://github.com/chalk/ansi-regex#readme",
                            "type": "website",
                            "comment": "as detected from PackageJson property \"homepage\""
                        }
                    ],
                    "properties": [
                        {
                            "name": "cdx:npm:package:path",
                            "value": "node_modules/@mapbox/node-pre-gyp/node_modules/ansi-regex"
                        }
                    ]
                }
            ]
        }
    ]
}

Then a simple merge leads to:

image

meaning the square brackets from the array are also copied.
@italvi italvi added the bug Something isn't working label Dec 17, 2024
@italvi italvi added this to the 1.0.0 milestone Dec 17, 2024
@italvi
Copy link
Collaborator Author

italvi commented Dec 17, 2024

should be addressed in #338

@italvi italvi closed this as not planned Won't fix, can't repro, duplicate, stale Dec 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
1.0.0
Development

No branches or pull requests
1 participant
@italvi