Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cyclonedx merge defaults to specVersion 1.5 even when merging two v1.4 files #349

Open
aja08379 opened this issue Nov 6, 2023 · 5 comments · May be fixed by #366
Open

cyclonedx merge defaults to specVersion 1.5 even when merging two v1.4 files #349

aja08379 opened this issue Nov 6, 2023 · 5 comments · May be fixed by #366

Comments

@aja08379
Copy link

aja08379 commented Nov 6, 2023
edited
Loading

Merging SBOMs seems to default to the output file being version 1.5, regardless of the input file versions. See for example test1.txt and test2.txt attached. Both v1.4, created with the snyk sbom CLI command.

Command used to merge them is:

cyclonedx merge --input-files test1.txt test2.txt --output-file new.txt --input-format json --output-format json --name "Test" --version "v0.0"

The output SBOM new.txt is v1.5 (also attached):

user@ubuntu2004:~$ cat test1.txt | jq
{
  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",

user@ubuntu2004:~$ cat test2.txt | jq
{
  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",

ash@ubuntu2004:~$ cat new.txt | jq
{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",

new.txt
test1.txt
test2.txt
@aja08379 aja08379 changed the title cyclonedx merge defaults to specVersion 1.5 even when merging two v1.4 filesls -la cyclonedx merge defaults to specVersion 1.5 even when merging two v1.4 files Nov 6, 2023
@aja08379 aja08379 closed this as completed Nov 6, 2023
@aja08379 aja08379 reopened this Nov 6, 2023
@Parisha7
Copy link

Parisha7 commented Dec 4, 2023

We are also facing similar issue. Is there any fix coming up soon?

@saloni410
Copy link

When can we expect the fix please ?

@andreas-hilti
Copy link
Contributor

I think the intended behavior is to produce SBOMs of the latest version. However, you can use "--output-version v1_4" to force it to produce an SBOM of version 1.4.

@anubhav-tyagi1
Copy link

anubhav-tyagi1 commented May 20, 2024
edited
Loading

Hello @andreas-hilti ,

We are encountering an issue with the CycloneDX merge command. When merging two SBOMs with spec version v1.4, the resulting SBOM is in spec version v1.5.

Is this the expected behavior of the merge command?

Additionally, it appears that the merge command does not support an --output-version flag, as confirmed by the documentation, so we cannot explicitly specify the output spec version.

@andreas-hilti andreas-hilti linked a pull request May 20, 2024 that will close this issue
Open
@andreas-hilti
Copy link
Contributor

andreas-hilti commented May 20, 2024
edited
Loading

Hello @andreas-hilti ,

We are encountering an issue with the CycloneDX merge command. When merging two SBOMs with spec version v1.4, the resulting SBOM is in spec version v1.5.

Is this the expected behavior of the merge command?

Additionally, it appears that the merge command does not support an --output-version flag, as confirmed by the documentation, so we cannot explicitly specify the output spec version.

Yes, you are right, it is currently not supported. You can review:
#366

What you can do already now is this (merge followed by convert):

cyclonedx.exe merge --input-files sbom1.json sbom2.json --output-file sbom_combined.json
cyclonedx.exe convert --input-file sbom_combined.json --output-file sbom_combined_conv.json --output-version v1_4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add output version argument to merge command andreas-hilti/cyclonedx-cli
5 participants
@saloni410 @aja08379 @andreas-hilti @Parisha7 @anubhav-tyagi1