You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
with the content of test_sbom.json as follows: test_sbom.json
In the example above, the dependency component org.hamcrest:hamcrest-library has the same repository URL https://github.com/hamcrest/JavaHamcrest as another dependency component org.hamcrest:hamcrest-core. Because https://github.com/hamcrest/JavaHamcrest has been analyzed already for org.hamcrest:hamcrest-core, we marked org.hamcrest:hamcrest-library as a DUPLICATED_REPO_URL component.
However, in the description column of org.hamcrest:hamcrest-library: https://github.com/hamcrest/JavaHamcrest is already analyzed.. I think this is quite confusing as the user don't know where to look for the report of that particular repository. Note that all dependencies listed in the HTML report are listed under the format of <group_id>:<name> to follow the data model.
In additions, the report column of org.hamcrest:hamcrest-library is empty (in the past, it used to link to the HTML report of org.hamcrest:hamcrest-core. However, because we are using PURL as the unique identification, I don't think linking to the same HTML report of another component with a different PURL would be a good idea.
Expect
I think we need to discuss on what would be the best way to display the "duplicated status" of dependencies. Note that after this PR is merged, the definition of "duplication" is not on the scope of repository URL, but it would be repository URL + commit or PURL with version number, etc.
The text was updated successfully, but these errors were encountered:
As discussed, we have agreed that this issue will be addressed once this PR is merged as part of the change in data model where the analysis happens on a snap shot of a repository (URL + commit) instead of only happening on the repository URL like before.
How to reproduce the issue
with the content of
test_sbom.json
as follows: test_sbom.jsonIn the example above, the dependency component
org.hamcrest:hamcrest-library
has the same repository URLhttps://github.com/hamcrest/JavaHamcrest
as another dependency componentorg.hamcrest:hamcrest-core
. Becausehttps://github.com/hamcrest/JavaHamcrest
has been analyzed already fororg.hamcrest:hamcrest-core
, we markedorg.hamcrest:hamcrest-library
as aDUPLICATED_REPO_URL
component.However, in the
description
column oforg.hamcrest:hamcrest-library
:https://github.com/hamcrest/JavaHamcrest is already analyzed.
. I think this is quite confusing as the user don't know where to look for the report of that particular repository. Note that all dependencies listed in the HTML report are listed under the format of<group_id>:<name>
to follow the data model.In additions, the
report
column oforg.hamcrest:hamcrest-library
is empty (in the past, it used to link to the HTML report oforg.hamcrest:hamcrest-core
. However, because we are using PURL as the unique identification, I don't think linking to the same HTML report of another component with a different PURL would be a good idea.Expect
I think we need to discuss on what would be the best way to display the "duplicated status" of dependencies. Note that after this PR is merged, the definition of "duplication" is not on the scope of repository URL, but it would be repository URL + commit or PURL with version number, etc.
The text was updated successfully, but these errors were encountered: