I am trying to aggregate multiple SBOMs into a single SBOM.
For my example I have 10 root 'Project' components, that all depend directly on an external component. Example @angular/common@16.2.12
During the aggregation I am trying to create a New Root 'Product' component, with each of the 10 'Project' components being added as direct dependencies to the new 'Product' root component. Every time I encounter a new component based on its PURL or "BomRef value" I add it to a dictionary so that I can reuse the component when it is encountered.
If I copy the dependencies directly from each of the project component dependencies I will have 10 instances of @angular/common@16.2.12
I've traced this down to the bom_ref comparison operation. I have tried setting the bom_ref of the dependent projects (instances of angular/comm), however bom_ref can only be set within the constructor of the component.
I'm open to suggestions, however this use case where I have only 10 Projects with a single external dependency is a gross understatement.
This dependency tree in this case would look like a Diamond - 1 top component, 10 central component, all pointing to a single component on the bottom.
I am trying to aggregate multiple SBOMs into a single SBOM.
For my example I have 10 root 'Project' components, that all depend directly on an external component. Example @angular/common@16.2.12
During the aggregation I am trying to create a New Root 'Product' component, with each of the 10 'Project' components being added as direct dependencies to the new 'Product' root component. Every time I encounter a new component based on its PURL or "BomRef value" I add it to a dictionary so that I can reuse the component when it is encountered.
If I copy the dependencies directly from each of the project component dependencies I will have 10 instances of @angular/common@16.2.12
I've traced this down to the bom_ref comparison operation. I have tried setting the bom_ref of the dependent projects (instances of angular/comm), however bom_ref can only be set within the constructor of the component.
I'm open to suggestions, however this use case where I have only 10 Projects with a single external dependency is a gross understatement.
This dependency tree in this case would look like a Diamond - 1 top component, 10 central component, all pointing to a single component on the bottom.