Explain how to remove dupes from merged SBOMs (!114106) · Merge requests · GitLab.org / GitLab

Adam Cohen requested to merge add-instructions-to-remove-dupes-from-sboms into master Mar 09, 2023

What does this MR do and why?

Documentation for merging multiple CycloneDX SBOMs into a single file was added in Document CycloneDX support for DS (!80588 - merged), however, we didn't realize at the time that the tool used for merging, cyclonedx-cli, does not remove duplicates from the merged SBOM files, producing SBOM files that fail validation against the CycloneDX schema. When a user attempts to provide a CycloneDX SBOM with duplicate components, the rails backend fails to ingest the SBOM which prevents licenses from being displayed.

This MR updates the guidance for merging multiple CycloneDX SBOMs to included details on how to remove duplicates from the resulting merged file, as well as how to validate the merged SBOM.

Testing

Tested here

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Mar 10, 2023 by Adam Cohen

Explain how to remove dupes from merged SBOMs

What does this MR do and why?

Testing

MR acceptance checklist

Merge request reports