From 5fe2218493ce217870f8ca68093773347b82b1d8 Mon Sep 17 00:00:00 2001 From: Christoph Reiter Date: Mon, 23 Dec 2024 15:10:20 +0100 Subject: [PATCH] sbom: add multiple pkgbase if they match We have multiple packages with the same CPE, and since we now have multiple components with the same name they get merged by grype into one, which means each SBOM component can point to multiple pkgbase values. --- msys2_devtools/sbom.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/msys2_devtools/sbom.py b/msys2_devtools/sbom.py index 6d07a4c..9d12f5c 100644 --- a/msys2_devtools/sbom.py +++ b/msys2_devtools/sbom.py @@ -176,8 +176,12 @@ def get_component_key(component: Component) -> str: return (component.name, component.version, component.purl, cpe_key) for component in src_bom.components: + assert isinstance(component, Component) key = get_component_key(component) - properties[key] = component.properties + if key not in properties: + properties[key] = component.properties + else: + properties[key].update(component.properties) with open(args.target_sbom, "r", encoding="utf-8") as h: target_bom: Bom = Bom.from_json(json.loads(h.read()))