Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

duplicate spdx_id #76

Closed
vargenau opened this issue Jul 10, 2024 · 4 comments
Closed

duplicate spdx_id #76

vargenau opened this issue Jul 10, 2024 · 4 comments

Comments

@vargenau
Copy link
Contributor

It is possible that different files contain the same package.

This is a toy example, but in real SBOMs (that I cannot provide for confidentiality reasons), it happens often.

You should create different spdx_ids, or create a single instance of the package if it is exactly the same in both files.

duplicate1.spdx.txt
duplicate2.spdx.txt

sbomasm assemble -n merge -v 1 -t application -o merge.spdx.json *.spdx

merge.spdx.json

pyspdxtools -i merge.spdx.json 
ERROR:root:The document is invalid. The following issues have been found:
every spdx_id must be unique within the document, but found the following duplicates: ['SPDXRef-Package-crypto-js']
@riteshnoronha
Copy link
Contributor

Yes i had this implemented for cyclonedx but never ported it over the SPDX. Thanks for calling it out. fixed here #84

@riteshnoronha
Copy link
Contributor

v0.1.4 has been released with this fix.

@vargenau
Copy link
Contributor Author

@riteshnoronha
Thank you very much.
I now get fully valid SPDX on my real-world example.

@riteshnoronha
Copy link
Contributor

@vargenau great to hear. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@riteshnoronha @vargenau