cyclonedx-cli
cyclonedx-cli copied to clipboard
CycloneDX
Merge command - inconsistent dependencies tree with/without name or version parameters
A command: cyclonedx-win-x64.exe merge --input-files Second.xml First.xml --name "Test" --version "1.0.0.0" --output-file sbom.json --output-format json
creates a different dependencies tree than the following command: cyclonedx-win-x64.exe merge --input-files Second.xml First.xml --output-file sbom.json --output-format json
If name and version are omitted, it creates the dependency tree between the root component and the first file input sbom component.
"metadata": {
"tools": [
{
"vendor": "CycloneDX",
"name": "CycloneDX module for .NET",
"version": "2.10.0.0"
}
],
"component": {
"type": "application",
"bom-ref": "[email protected]",
"name": "SecondProject",
"version": "0.0.0"
}
},
Versus with a version or name parameter:
"metadata": {
"tools": [
{
"vendor": "CycloneDX",
"name": "CycloneDX module for .NET",
"version": "2.10.0.0"
}
],
"component": {
"type": "application",
"name": "Test",
"version": "1.0.0.0"
}
},
Question
Is it correct it generates a different dependency tree? In my opinion, I guess it should create the same file except for the name and version parameter.
Also not sure if the root component shouldn't have a dependency to the input sboms (so the Test component should point to first and second component) but maybe for this reason I should use hierarchy parameter.
A depedendency tracker shows different dependency graph then.
File contents: First:
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:13aadae0-bd0c-486e-981a-4fa85176596d",
"version": 1,
"metadata": {
"timestamp": "2023-12-16T09:08:04Z",
"tools": [
{
"vendor": "CycloneDX",
"name": "CycloneDX module for .NET",
"version": "2.10.0.0"
}
],
"component": {
"type": "application",
"bom-ref": "[email protected]",
"name": "FirstProject",
"version": "0.0.0"
}
},
"components": [
{
"type": "library",
"bom-ref": "pkg:nuget/[email protected]",
"author": "Microsoft",
"name": "Microsoft.DotNet.ILCompiler",
"version": "8.0.0",
"description": "Provides a native AOT compiler and runtime for .NET",
"scope": "required",
"hashes": [
{
"alg": "SHA-512",
"content": "8BD9B26DED9C25666E36E47DC51417315C5256C3D4BBF0BA508680A836D570841A06A2506B36F75F974F4BF27512BE130B5356F9230B2AE2906DC516E391DA9A"
}
],
"licenses": [
{
"license": {
"id": "MIT"
}
}
],
"copyright": "\u00A9 Microsoft Corporation. All rights reserved.",
"purl": "pkg:nuget/[email protected]",
"externalReferences": [
{
"url": "https://dot.net/",
"type": "website"
},
{
"url": "https://github.com/dotnet/runtime",
"type": "vcs"
}
]
},
{
"type": "library",
"bom-ref": "pkg:nuget/[email protected]",
"author": "Microsoft",
"name": "Microsoft.NET.ILLink.Tasks",
"version": "8.0.0",
"description": "MSBuild tasks for running the IL Linker",
"scope": "required",
"hashes": [
{
"alg": "SHA-512",
"content": "7FCFE8685558D875A773FF41455ABD765280F7C50DD725F0D580ACDC3EA2313560F04E52070B91AAFCDD912F2C7C8D7D7F9F79D586BCD1CD6125268773B0402E"
}
],
"licenses": [
{
"license": {
"id": "MIT"
}
}
],
"copyright": "\u00A9 Microsoft Corporation. All rights reserved.",
"purl": "pkg:nuget/[email protected]",
"externalReferences": [
{
"url": "https://dot.net/",
"type": "website"
},
{
"url": "https://github.com/dotnet/runtime",
"type": "vcs"
}
]
}
],
"dependencies": [
{
"ref": "[email protected]",
"dependsOn": [
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]"
]
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
}
]
}
Second:
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"serialNumber": "urn:uuid:dd29f5b8-fe5b-440f-9cec-dbf1b29856b7",
"version": 1,
"metadata": {
"timestamp": "2023-12-16T09:07:45Z",
"tools": [
{
"vendor": "CycloneDX",
"name": "CycloneDX module for .NET",
"version": "2.10.0.0"
}
],
"component": {
"type": "application",
"bom-ref": "[email protected]",
"name": "SecondProject",
"version": "0.0.0"
}
},
"components": [
{
"type": "library",
"bom-ref": "pkg:nuget/[email protected]",
"author": "Microsoft",
"name": "Microsoft.DotNet.ILCompiler",
"version": "8.0.0",
"description": "Provides a native AOT compiler and runtime for .NET",
"scope": "required",
"hashes": [
{
"alg": "SHA-512",
"content": "8BD9B26DED9C25666E36E47DC51417315C5256C3D4BBF0BA508680A836D570841A06A2506B36F75F974F4BF27512BE130B5356F9230B2AE2906DC516E391DA9A"
}
],
"licenses": [
{
"license": {
"id": "MIT"
}
}
],
"copyright": "\u00A9 Microsoft Corporation. All rights reserved.",
"purl": "pkg:nuget/[email protected]",
"externalReferences": [
{
"url": "https://dot.net/",
"type": "website"
},
{
"url": "https://github.com/dotnet/runtime",
"type": "vcs"
}
]
},
{
"type": "library",
"bom-ref": "pkg:nuget/[email protected]",
"author": "Microsoft",
"name": "Microsoft.NET.ILLink.Tasks",
"version": "8.0.0",
"description": "MSBuild tasks for running the IL Linker",
"scope": "required",
"hashes": [
{
"alg": "SHA-512",
"content": "7FCFE8685558D875A773FF41455ABD765280F7C50DD725F0D580ACDC3EA2313560F04E52070B91AAFCDD912F2C7C8D7D7F9F79D586BCD1CD6125268773B0402E"
}
],
"licenses": [
{
"license": {
"id": "MIT"
}
}
],
"copyright": "\u00A9 Microsoft Corporation. All rights reserved.",
"purl": "pkg:nuget/[email protected]",
"externalReferences": [
{
"url": "https://dot.net/",
"type": "website"
},
{
"url": "https://github.com/dotnet/runtime",
"type": "vcs"
}
]
},
{
"type": "library",
"bom-ref": "pkg:nuget/[email protected]",
"author": "James Newton-King",
"name": "Newtonsoft.Json",
"version": "13.0.3",
"description": "Json.NET is a popular high-performance JSON framework for .NET",
"scope": "required",
"hashes": [
{
"alg": "SHA-512",
"content": "99B252BC77D1C5F5F7B51FD4EA7D5653E9961D7B3061CF9207F8643A9C7CC9965EEBC84D6467F2989BB4723B1A244915CC232A78F894E8B748CA882A7C89FB92"
}
],
"licenses": [
{
"license": {
"id": "MIT"
}
}
],
"copyright": "Copyright \u00A9 James Newton-King 2008",
"purl": "pkg:nuget/[email protected]",
"externalReferences": [
{
"url": "https://www.newtonsoft.com/json",
"type": "website"
},
{
"url": "https://github.com/JamesNK/Newtonsoft.Json",
"type": "vcs"
}
]
}
],
"dependencies": [
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "[email protected]",
"dependsOn": [
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]"
]
}
]
}
cyclonedx-win-x64.exe merge --input-files Second.xml First.xml --name "Test" --version "1.0.0.0" --output-file sbom.json --output-format json
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:73930165-b476-4388-8162-5e9a56060c9b",
"version": 1,
"metadata": {
"tools": [
{
"vendor": "CycloneDX",
"name": "CycloneDX module for .NET",
"version": "2.10.0.0"
}
],
"component": {
"type": "application",
"name": "Test",
"version": "1.0.0.0"
}
},
"components": [
{
"type": "library",
"bom-ref": "pkg:nuget/[email protected]",
"author": "Microsoft",
"name": "Microsoft.DotNet.ILCompiler",
"version": "8.0.0",
"description": "Provides a native AOT compiler and runtime for .NET",
"scope": "required",
"hashes": [
{
"alg": "SHA-512",
"content": "8BD9B26DED9C25666E36E47DC51417315C5256C3D4BBF0BA508680A836D570841A06A2506B36F75F974F4BF27512BE130B5356F9230B2AE2906DC516E391DA9A"
}
],
"licenses": [
{
"license": {
"id": "MIT"
}
}
],
"copyright": "\u00A9 Microsoft Corporation. All rights reserved.",
"purl": "pkg:nuget/[email protected]",
"externalReferences": [
{
"url": "https://dot.net/",
"type": "website"
},
{
"url": "https://github.com/dotnet/runtime",
"type": "vcs"
}
]
},
{
"type": "library",
"bom-ref": "pkg:nuget/[email protected]",
"author": "Microsoft",
"name": "Microsoft.NET.ILLink.Tasks",
"version": "8.0.0",
"description": "MSBuild tasks for running the IL Linker",
"scope": "required",
"hashes": [
{
"alg": "SHA-512",
"content": "7FCFE8685558D875A773FF41455ABD765280F7C50DD725F0D580ACDC3EA2313560F04E52070B91AAFCDD912F2C7C8D7D7F9F79D586BCD1CD6125268773B0402E"
}
],
"licenses": [
{
"license": {
"id": "MIT"
}
}
],
"copyright": "\u00A9 Microsoft Corporation. All rights reserved.",
"purl": "pkg:nuget/[email protected]",
"externalReferences": [
{
"url": "https://dot.net/",
"type": "website"
},
{
"url": "https://github.com/dotnet/runtime",
"type": "vcs"
}
]
},
{
"type": "library",
"bom-ref": "pkg:nuget/[email protected]",
"author": "James Newton-King",
"name": "Newtonsoft.Json",
"version": "13.0.3",
"description": "Json.NET is a popular high-performance JSON framework for .NET",
"scope": "required",
"hashes": [
{
"alg": "SHA-512",
"content": "99B252BC77D1C5F5F7B51FD4EA7D5653E9961D7B3061CF9207F8643A9C7CC9965EEBC84D6467F2989BB4723B1A244915CC232A78F894E8B748CA882A7C89FB92"
}
],
"licenses": [
{
"license": {
"id": "MIT"
}
}
],
"copyright": "Copyright \u00A9 James Newton-King 2008",
"purl": "pkg:nuget/[email protected]",
"externalReferences": [
{
"url": "https://www.newtonsoft.com/json",
"type": "website"
},
{
"url": "https://github.com/JamesNK/Newtonsoft.Json",
"type": "vcs"
}
]
},
{
"type": "application",
"bom-ref": "[email protected]",
"name": "SecondProject",
"version": "0.0.0"
},
{
"type": "application",
"bom-ref": "[email protected]",
"name": "FirstProject",
"version": "0.0.0"
}
],
"dependencies": [
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "[email protected]",
"dependsOn": [
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]"
]
},
{
"ref": "[email protected]",
"dependsOn": [
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]"
]
}
]
}
cyclonedx-win-x64.exe merge --input-files Second.xml First.xml --output-file sbom.json --output-format json:
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:9ea8f151-ebf4-4c59-9da9-0cf3c433d12e",
"version": 1,
"metadata": {
"tools": [
{
"vendor": "CycloneDX",
"name": "CycloneDX module for .NET",
"version": "2.10.0.0"
}
],
"component": {
"type": "application",
"bom-ref": "[email protected]",
"name": "SecondProject",
"version": "0.0.0"
}
},
"components": [
{
"type": "library",
"bom-ref": "pkg:nuget/[email protected]",
"author": "Microsoft",
"name": "Microsoft.DotNet.ILCompiler",
"version": "8.0.0",
"description": "Provides a native AOT compiler and runtime for .NET",
"scope": "required",
"hashes": [
{
"alg": "SHA-512",
"content": "8BD9B26DED9C25666E36E47DC51417315C5256C3D4BBF0BA508680A836D570841A06A2506B36F75F974F4BF27512BE130B5356F9230B2AE2906DC516E391DA9A"
}
],
"licenses": [
{
"license": {
"id": "MIT"
}
}
],
"copyright": "\u00A9 Microsoft Corporation. All rights reserved.",
"purl": "pkg:nuget/[email protected]",
"externalReferences": [
{
"url": "https://dot.net/",
"type": "website"
},
{
"url": "https://github.com/dotnet/runtime",
"type": "vcs"
}
]
},
{
"type": "library",
"bom-ref": "pkg:nuget/[email protected]",
"author": "Microsoft",
"name": "Microsoft.NET.ILLink.Tasks",
"version": "8.0.0",
"description": "MSBuild tasks for running the IL Linker",
"scope": "required",
"hashes": [
{
"alg": "SHA-512",
"content": "7FCFE8685558D875A773FF41455ABD765280F7C50DD725F0D580ACDC3EA2313560F04E52070B91AAFCDD912F2C7C8D7D7F9F79D586BCD1CD6125268773B0402E"
}
],
"licenses": [
{
"license": {
"id": "MIT"
}
}
],
"copyright": "\u00A9 Microsoft Corporation. All rights reserved.",
"purl": "pkg:nuget/[email protected]",
"externalReferences": [
{
"url": "https://dot.net/",
"type": "website"
},
{
"url": "https://github.com/dotnet/runtime",
"type": "vcs"
}
]
},
{
"type": "library",
"bom-ref": "pkg:nuget/[email protected]",
"author": "James Newton-King",
"name": "Newtonsoft.Json",
"version": "13.0.3",
"description": "Json.NET is a popular high-performance JSON framework for .NET",
"scope": "required",
"hashes": [
{
"alg": "SHA-512",
"content": "99B252BC77D1C5F5F7B51FD4EA7D5653E9961D7B3061CF9207F8643A9C7CC9965EEBC84D6467F2989BB4723B1A244915CC232A78F894E8B748CA882A7C89FB92"
}
],
"licenses": [
{
"license": {
"id": "MIT"
}
}
],
"copyright": "Copyright \u00A9 James Newton-King 2008",
"purl": "pkg:nuget/[email protected]",
"externalReferences": [
{
"url": "https://www.newtonsoft.com/json",
"type": "website"
},
{
"url": "https://github.com/JamesNK/Newtonsoft.Json",
"type": "vcs"
}
]
},
{
"type": "application",
"bom-ref": "[email protected]",
"name": "SecondProject",
"version": "0.0.0"
},
{
"type": "application",
"bom-ref": "[email protected]",
"name": "FirstProject",
"version": "0.0.0"
}
],
"dependencies": [
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "pkg:nuget/[email protected]",
"dependsOn": []
},
{
"ref": "[email protected]",
"dependsOn": [
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]"
]
},
{
"ref": "[email protected]",
"dependsOn": [
"pkg:nuget/[email protected]",
"pkg:nuget/[email protected]"
]
}
]
}
