-
-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deserialization silently loads broken bom #677
Comments
@wkoot, do you want to give it a try fixing this? |
I believe that making the But this boils down to an architectural choice regarding model strictness; how much deduplication should be enforced? I think there are three options:
The first option might be an uphill battle, while the other two will most likely mean that other tools will not be changed. It would be easier if there was a working |
You could add your example to this very project's test cases and alter the code to showcase this.
re:
There is just no agreement/consensus on the merging algorithms - see CycloneDX/specification#320. |
Addresses CycloneDX#677 Signed-off-by: wkoot <[email protected]>
Addresses CycloneDX#677 Signed-off-by: wkoot <[email protected]>
Addresses CycloneDX#677 Signed-off-by: wkoot <[email protected]>
It seems that deserialization silently loads broken bom data, omitting components due to deduplication.
For reproduction, refer to the sample testdata output as produced in CycloneDX/cyclonedx-cli#399:
Deserialize and validate bom:
Because
Bom.from_json()
doesn't throw an error, there's no telling what data is actually lost during deserialization.The text was updated successfully, but these errors were encountered: