Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

`merge`-d polyglot SBOM loses dependency graph information

See original GitHub issue

Problem overview

CycloneDX tools vary in their support for dependency graph information. For example, cyclonedx-dotnet@0.19.0 supports it, while cyclonedx-node-module does not due to

When merging SBOMs in a polyglot project, such that one or more SBOMs have dependency graph information, the output should ideally preserve that, but it currently does not.

To demonstrate this, two projects will be created: one .NET (dependency graph supported) and one NPM (no dependency graph). Their SBOMs, when uploaded individually to Dependency Track, correctly reflect the dependency graph information, if present.

The two SBOMs are then merge-d and the output uploaded. The expectation is that the merged SBOM preserves the input files’ dependency graph information, whereas it currently seems to be lost.

Steps to reproduce

Create a simple .NET project and collect its SBOM:

> dotnet --version

> dotnet cyclonedx --version

> mkdir src\csharp && pushd src\csharp

src\csharp> dotnet new console
The template "Console Application" was created successfully.

src\csharp> dotnet add package Serilog.Sinks.File 
info : PackageReference for package 'Serilog.Sinks.File' version '5.0.0' added to file 'src\csharp\csharp.csproj'.
info : Writing assets file to disk. Path: src\csharp\obj\project.assets.json
log  : Restored src\csharp\csharp.csproj (in 67 ms).

src\csharp> dotnet cyclonedx -ns -dgl -o .. csharp.csproj 
» Analyzing: src\csharp\csharp.csproj
  Attempting to restore packages
Retrieving Serilog 2.10.0
Retrieving Serilog.Sinks.File 5.0.0

Creating CycloneDX BOM
Writing to: src\bom.xml

Upload src\bom.xml to Dependency Track v4.3.6, confirming that the dependency graph information of the .NET project is present, as expected:


Next, create a simple NPM project and collect its SBOM:

> npm --version 

> cyclonedx-bom --version

> mkdir src\js && pushd src\js

src\js> npm init -y
Wrote to src\js\package.json

src\js> npm install jquery --save-dev
added 1 package, and audited 2 packages in 1s
found 0 vulnerabilities

src\js> cyclonedx-bom -ns -d -o ..\bom-js.xml .

Upload src\bom-js.xml to Dependency Track; no dependency graph information is present, and this is expected per


Finally, merge the individual files into a polyglot SBOM:

> cyclonedx-win-x64 --version

> cyclonedx-win-x64 merge --input-files src\bom.xml src\bom-js.xml --output-file src\bom-polyglot.xml
Processing input file src\bom.xml
    Contains 2 components
Processing input file src\bom-js.xml
    Contains 1 components
Writing output file...
    Total 3 components

Upload src\bom-polyglot.xml to Dependency Track.

Expected results

The dependency graph information present in the input files (e.g. src\bom.xml) is preserved in a merge-d polyglot SBOM.

Observed results

Three components are present (as expected), however the dependency graph information is lost:


Issue Analytics

  • State:open
  • Created 2 years ago
  • Reactions:1
  • Comments:14 (1 by maintainers)

github_iconTop GitHub Comments

roadSurfercommented, Jan 25, 2023

OK, seems like you got much futher. I’ll try and follow your steps to see if I can make it work.

jimklimovcommented, Jan 25, 2023

Did not check about “full”, but randomly clicked open at least half a dozen levels.

“So all for the loss of one horse-shoe nail…”

Read more comments on GitHub >

github_iconTop Results From Across the Web

Generate an SBOM from the dependency graph
Click "Export SBOM" on a repository's dependency graph to generate an SBOM representing the head of the main branch. The resulting JSON file ......
Read more >
Learning the Basics
Gradle provides tools to visualize and analyze a project's dependency graph (i.e. dependency tree). You can use a Build Scan™ or built-in tasks....
Read more >
2 - Update rails backend to merge and present CycloneDX ...
We need to merge the CycloneDX reports that the Dependency Scanning ... and it can still keep the dependency graph data in the...
Read more >
Type: enum (of string) Specifies the format of the BOM. ... Online NuGet Gallery CycloneDX 0.9.0 merge -d polyglot SBOM loses dependency graph...
Read more >
Composing the Ultimate SBOM - Open Source Blog
The dependency graphs of modern applications greatly demonstrate how we build software today – we focus on our unique innovation and deal with ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found