Duplicate components #183
Description
When creating an SBOM for a large enough package, there are inevitably cases where a single dependency is included more than once. I guess that makes sense as long as you're not using the --flatten-components option.
When using that option, however, I wouldn't expect those duplicates to appear. They each only differ in their bom-ref.
Is that behavior intentional?
Edit: Sorry, I was a little pressed for time when I hit send. Let me give an example.
Assume the following dependency tree:
myPackage
|
|- packageA@1.0.0
| | - packageC@1.0.0
|
|- packageB@1.0.0
|- packageC@1.0.0
Expected output
All output shortened for clarity.
Without --flatten-components:
{
"components": [
{
"purl": "pkg:npm/packageA@1.0.0",
"bom-ref": "packageA@1.0.0",
"components": [
{
"purl": "pkg:npm/packageC@1.0.0",
"bom-ref": "packageA@1.0.0|packageC@1.0.0"
}
]
},
{
"purl": "pkg:npm/packageB@1.0.0",
"bom-ref": "packageB@1.0.0",
"components": [
{
"purl": "pkg:npm/packageC@1.0.0",
"bom-ref": "packageB@1.0.0|packageC@1.0.0"
}
]
}
]
}With --flatten-components:
{
"components": [
{
"purl": "pkg:npm/packageA@1.0.0",
"bom-ref": "packageA@1.0.0"
},
{
"purl": "pkg:npm/packageB@1.0.0",
"bom-ref": "packageB@1.0.0"
},
{
"purl": "pkg:npm/packageC@1.0.0",
"bom-ref": "packageC@1.0.0"
}
]
}Actual output
Without --flatten-components:
Matches expected output 👍
With --flatten-components:
{
"components": [
{
"purl": "pkg:npm/packageA@1.0.0",
"bom-ref": "packageA@1.0.0"
},
{
"purl": "pkg:npm/packageB@1.0.0",
"bom-ref": "packageB@1.0.0"
},
{
"purl": "pkg:npm/packageC@1.0.0",
"bom-ref": "packageA@1.0.0|packageC@1.0.0"
}
{
"purl": "pkg:npm/packageC@1.0.0",
"bom-ref": "packageB@1.0.0|packageC@1.0.0"
}
]
}