Skip to content

fix(cyclonedx): duplicated entries in dependsOn #9802

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
d3vv3 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(cyclonedx): duplicated entries in dependsOn #9802

d3vv3 wants to merge 2 commits into from

Conversation

@d3vv3
Copy link

@d3vv3 d3vv3 commented Nov 14, 2025
edited
Loading

Description

Reproduce:

  1. trivy -q image --format cyclonedx --output /tmp/postgresql.json --timeout 3600s --parallel 2 docker.io/bitnamilegacy/postgresql:15.4.0-debian-11-r45
  2. cat /tmp/postgresql.json | jq ".dependencies[139].dependsOn"
  3. Duplicated entries don't comply with the Cyclonedx BOM schema.

Related issues

  • None

Related PRs

  • None

Remove this section if you don't have related PRs.

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@CLAassistant
Copy link

CLAassistant commented Nov 14, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@d3vv3 d3vv3 changed the title fix: duplicated entries in dependsOn fix(cyclonedx): duplicated entries in dependsOn Nov 14, 2025
@d3vv3 d3vv3 force-pushed the fix/dependsOn-duplicated-entries branch from fd46b5a to d6c9097 Compare November 14, 2025 08:56
@d3vv3 d3vv3 force-pushed the fix/dependsOn-duplicated-entries branch from d6c9097 to 5a46565 Compare November 14, 2025 09:43
@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Nov 14, 2025

Hi @d3vv3,
Thanks for your work!

I checked the image. It contains three identical packages that differ only by the SPDXID suffix. This looks like a bug.

➜ cat .spdx-postgresql.spdx | jq ' .packages[] | select (.name=="org.postgresql:pljava")'
{
  "name": "org.postgresql:pljava",
  "SPDXID": "SPDXRef-Package-81b064a6dd4b165f",
  "versionInfo": "1.6.6",
  "supplier": "NOASSERTION",
  "downloadLocation": "NONE",
  "licenseConcluded": "NONE",
  "licenseDeclared": "NONE",
  "copyrightText": "NOASSERTION",
  "externalRefs": [
    {
      "referenceCategory": "PACKAGE_MANAGER",
      "referenceType": "purl",
      "referenceLocator": "pkg:maven/org.postgresql/[email protected]"
    }
  ],
  "filesAnalyzed": false
}
{
  "name": "org.postgresql:pljava",
  "SPDXID": "SPDXRef-Package-200e4c8a9fedcdb5",
  "versionInfo": "1.6.6",
  "supplier": "NOASSERTION",
  "downloadLocation": "NONE",
  "licenseConcluded": "NONE",
  "licenseDeclared": "NONE",
  "copyrightText": "NOASSERTION",
  "externalRefs": [
    {
      "referenceCategory": "PACKAGE_MANAGER",
      "referenceType": "purl",
      "referenceLocator": "pkg:maven/org.postgresql/[email protected]"
    }
  ],
  "filesAnalyzed": false
}
{
  "name": "org.postgresql:pljava",
  "SPDXID": "SPDXRef-Package-c30a860d16f62e1b",
  "versionInfo": "1.6.6",
  "supplier": "NOASSERTION",
  "downloadLocation": "NONE",
  "licenseConcluded": "NONE",
  "licenseDeclared": "NONE",
  "copyrightText": "NOASSERTION",
  "externalRefs": [
    {
      "referenceCategory": "PACKAGE_MANAGER",
      "referenceType": "purl",
      "referenceLocator": "pkg:maven/org.postgresql/[email protected]"
    }
  ],
  "filesAnalyzed": false
}

SPDXRef-Package-200e4c8a9fedcdb5 and SPDXRef-Package-c30a860d16f62e1b do not have any relationships with other components.

If this is not a bug, then we cannot simply drop the duplicates — we would “lose” some of the packages.
In that case, we need to include the SPDXID in Package.Identifier (similar to how we handle BomRef) to generate a correct unique identifier for identical packages that only differ by their SPDXID.

Regards, Dmitriy

@d3vv3
Copy link
Author

d3vv3 commented Nov 14, 2025

Hi @DmitriyLewen
Very insightful!

I added the SPDXID to maintain uniqueness. I think the previous commit is still important to ensure the output schema is valid.

What do you think?

@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Nov 17, 2025

I think the previous commit is still important to ensure the output schema is valid.

In this case, we must not prioritize a “valid-looking” SBOM over correct package detection.
People trust our SBOM, and if we simply drop duplicates — and users rely on that — it can lead to serious issues.

So we shouldn’t remove duplicated packages.
Instead, we need to fix the root cause and properly handle them, rather than hiding or deleting them.

I added the SPDXID to maintain uniqueness

About SPDXID — this field helps us see that packages are different (in pkgIdentifier.UID).
But we still have a problem with dependencies.

For example, in the SBOM we have:
• pkgA 1.0.0 (SPDX-1) -> pkgB 2.0.0 (SPDX-2)
• pkgA 1.0.0 (SPDX-3) -> pkgB 2.0.0 (SPDX-4)

For the SPDX-1 and SPDX-3 packages, the DependsOn entry will be the same: [email protected].
This means that one of the packages (SPDX-2 or SPDX-4) will be “lost” when we build the dependency graph.

This situation is similar to the problem we had with Maven modules:
#7879

I think we should use bomRef / SPDXID as the Package.ID.
Then, during decoding, we’ll have a clear mapping between the SBOM component and the resulting Package,
and we’ll be able to build relationships between packages more reliably.

We already discussed about BOMID (#9597 (comment))
We can add this field and use for bomRef|SPDXID
@knqyf263 wdyt?

@d3vv3
Copy link
Author

d3vv3 commented Nov 17, 2025

Hi @DmitriyLewen , thanks for your input.

Then, as for the invalid cyclonedx format, I think trivy should fail and exit when there al duplicated entries in a dependsOn array. What do you think?

For the root cause of the issue, thanks for the explanation. I see that it would be a huge refactor and it would sadly escape my golang skills.

@DmitriyLewen DmitriyLewen mentioned this pull request Nov 18, 2025
Open
@DmitriyLewen
Copy link
Contributor

DmitriyLewen commented Nov 18, 2025

No problem!
Thank you for helping uncover this issue and for your attempt to solve it!

I’ve created #9815 for it.

@github-actions
Copy link

github-actions bot commented Jan 18, 2026

This PR is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Jan 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

@DmitriyLewen DmitriyLewen Awaiting requested review from DmitriyLewen DmitriyLewen is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@d3vv3 @CLAassistant @DmitriyLewen