You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Originally posted by emcfins August 9, 2024
When scanning a complex project (iot-device-simulator for example), the SBOM doesn't include all instances of a dependency installed.
In the linked repo, fast-xml-parser exists in source/console, source/simulator, source/custom-resource, and source/microservices. However, when cdxgen scans it, that fast-xml-parser is only reported to be in source/console and source/simulator.
When doing some digging, it seems like this line will only return a component if the version doesn't already exist in the component map.
if (compMap[component.purl]) return;
If cdxgen is used to find all instances of a package installed for things such as vulnerability reporting, it will report only 2 instances of the dependency to be patched, instead of 4.
The text was updated successfully, but these errors were encountered:
Discussed in #1304
Originally posted by emcfins August 9, 2024
When scanning a complex project (iot-device-simulator for example), the SBOM doesn't include all instances of a dependency installed.
In the linked repo, fast-xml-parser exists in
source/console
,source/simulator
,source/custom-resource
, andsource/microservices
. However, when cdxgen scans it, that fast-xml-parser is only reported to be insource/console
andsource/simulator
.When doing some digging, it seems like this line will only return a component if the version doesn't already exist in the component map.
If cdxgen is used to find all instances of a package installed for things such as vulnerability reporting, it will report only 2 instances of the dependency to be patched, instead of 4.
The text was updated successfully, but these errors were encountered: