Replies: 1 comment 1 reply
-
@emcfins The approach we take in this case is to retain multiple SrcFile properties. Can you check if the SBOM has these properties? |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
When scanning a complex project (iot-device-simulator for example), the SBOM doesn't include all instances of a dependency installed.
In the linked repo, fast-xml-parser exists in
source/console
,source/simulator
,source/custom-resource
, andsource/microservices
. However, when cdxgen scans it, that fast-xml-parser is only reported to be insource/console
andsource/simulator
.When doing some digging, it seems like this line will only return a component if the version doesn't already exist in the component map.
If cdxgen is used to find all instances of a package installed for things such as vulnerability reporting, it will report only 2 instances of the dependency to be patched, instead of 4.
Beta Was this translation helpful? Give feedback.
All reactions