Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Scanning a source tree with duplicate conanfile.txt dependencies generates multiple components #3403

Closed
jkugler opened this issue Oct 31, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@jkugler
Copy link

jkugler commented Oct 31, 2024

What happened:
Syft found two identical dependencies in two different conanfile.txt files found in the source tree. This generated two Components in the CycloneDX SBOM that are identical in every way except for their bom-ref and syft:location:0:path.

What you expected to happen:
I would expect it would create one component and then generate multiple entries in the properties like so:

      "properties": [
        {
          "name": "syft:location:0:path",
          "value": "/path/to/first/conanfile.txt"
        },
        {
          "name": "syft:location:1:path",
          "value": "/path/to/second/conanfile.txt"
        }
      ]

Steps to reproduce the issue:
Create two conanfile.txt files and put them in two different locations in your source tree, and add these contents:

[requires]
libtiff/4.1.0

Then run syft scan dir:source_dir/ --output cyclonedx-json=example.json

Anything else we need to know?:
This is similar to #1162 but has to do with source trees and not scanning docker containers

Environment:

  • Output of syft version:
± syft version
Application: syft
Version:    1.15.0
BuildDate:  2024-10-28T21:11:34Z
GitCommit:  55cc1877ef246d8cabfd9bbeb0a8747b59c03431
GitDescription: v1.15.0
Platform:   darwin/arm64
GoVersion:  go1.22.8
Compiler:   gc
  • OS (e.g: cat /etc/os-release or similar):
    MacOS 14.6.1

FYI: This issue was filed on behalf of Adobe.

@jkugler jkugler added the bug Something isn't working label Oct 31, 2024
@jkugler
Copy link
Author

jkugler commented Oct 31, 2024

This may also be related to #3131

@kzantow
Copy link
Contributor

kzantow commented Dec 2, 2024

Hey @jkugler -- we definitely agree that some people might find the current Syft output noisier than it needs to be. We have a number of similar requests to this one for different package ecosystems, so we've created a new issue to help decide any end-user configuration necessary to accomplish this type of deduplication -- you may want to follow that one: #3485

@jkugler
Copy link
Author

jkugler commented Dec 2, 2024

Thanks! I'll follow #3485

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Archived in project
Development

No branches or pull requests

2 participants