Skip to content

sbomdiff ignores "group" leading to confusing output for NPM components #11

Description

@Edward-Knight

sbomdiff treats two components/packages as the same if their names are the same. This works for many pieces of software, but runs into issues in the NPM ecosystem in particular.


NPM offers two levels of name-spacing, an optional user level and the package name itself.

This is often represented in an SBOM by using group and name. For example, https://www.npmjs.com/package/@types/react is represented like so:

{
    "type": "library",
    "group": "@types",
    "name": "react",
    "version": "18.3.28",
    "purl": "pkg:npm/%40types/react@18.3.28",
    "bom-ref": "pkg:npm/%40types/react@18.3.28",
    "description": "TypeScript definitions for react"
}

Although this package is called "react", it's just some type definitions. This is usually written as @types/react. The "proper" react package https://www.npmjs.com/package/react is represented like so:

{
    "type": "library",
    "name": "react",
    "version": "18.3.1",
    "purl": "pkg:npm/react@18.3.1",
    "bom-ref": "pkg:npm/react@18.3.1",
    "description": "React is a JavaScript library for building user interfaces."
}

This has no group as it's a top-level package without using the optional user-level namespace.


sbomdiff doesn't differentiate between these two packages as the name key is the same for both. I found this issue as my project has three components named "react", (@floating-ui/react being the third), and when comparing the output of two different SBOM generators using sbomdiff I get incorrect output like:

[VERSION] react: Version changed from 0.27.7 to 18.3.1

even when no versions have changed. The exact output depends on the ordering of the components in the SBOM.


I recommend sbomdiff uses something like {group}/{name} as a key for packages (or just {name} where group is unset) to help disambiguate these cases. It would be even better if it could detect if the chosen key is unique within the SBOM and either correct and use a unique key or warn about this situation.


Thank you for the tool, I find it really useful! Before I was trying to diff JSON documents and found it very painful 😅

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions