You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What happened:
Syft found two identical dependencies in two different conanfile.txt files found in the source tree. This generated two Components in the CycloneDX SBOM that are identical in every way except for their bom-ref and syft:location:0:path.
What you expected to happen:
I would expect it would create one component and then generate multiple entries in the properties like so:
Hey @jkugler -- we definitely agree that some people might find the current Syft output noisier than it needs to be. We have a number of similar requests to this one for different package ecosystems, so we've created a new issue to help decide any end-user configuration necessary to accomplish this type of deduplication -- you may want to follow that one: #3485
What happened:
Syft found two identical dependencies in two different
conanfile.txt
files found in the source tree. This generated two Components in the CycloneDX SBOM that are identical in every way except for theirbom-ref
andsyft:location:0:path
.What you expected to happen:
I would expect it would create one component and then generate multiple entries in the properties like so:
Steps to reproduce the issue:
Create two
conanfile.txt
files and put them in two different locations in your source tree, and add these contents:Then run
syft scan dir:source_dir/ --output cyclonedx-json=example.json
Anything else we need to know?:
This is similar to #1162 but has to do with source trees and not scanning docker containers
Environment:
syft version
:cat /etc/os-release
or similar):MacOS 14.6.1
FYI: This issue was filed on behalf of Adobe.
The text was updated successfully, but these errors were encountered: