Metadata components should not have sub-components #763
Comments
|
More specifically, the guide states that subcomponents should be used in case of a "Multi-Product Solution" rather than a "Multi-Module Product". You can work around this today with Could you share the exact error that DependencyTrack reports? |
|
Hi, thanks for your advice.
Sadly, I don't see too much difference in the resulting SBoMs: > cargo cyclonedx --describe=crate -a
> cargo cyclonedx --describe=binaries -a
> diff my-project*.xml
2c2
< <bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:5409cd74-0ee9-4d79-a6ff-59855524e122" version="1">
---
> <bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:74c46a33-405f-49e2-980d-a592c338df5a" version="1">
4c4
< <timestamp>2024-08-23T06:07:23.503610541Z</timestamp>
---
> <timestamp>2024-08-23T06:07:14.152732469Z</timestamp>
25c25
< <purl>pkg:cargo/my-project@0.1.0?download_url=file://.#src/main.rs</purl>
---
> <purl>pkg:cargo/my-project@0.1.0?download_url=file://.</purl>
It boils down to parsing errors with Jackson in the Edit: formatting |
As of now, cargo-cyclonedx explicitly creates sub-components for the component entry in the metadata for the respective compilation targets.
This appears to contradict with the suggestions in the Authoritative Guide to SBOM, that states, that "The SBOM should have a single bom.metadata.component without subcomponents".
This has the consequence, that generated SBoMs currently cannot be properly processed by third-party tools, e.g., Dependency Track.
The text was updated successfully, but these errors were encountered: