BUG: SBOM import fails with "The 'for_package' cannot be the same as 'resolved_to_package'" and duplicates number of dependencies #257
Labels
bug
Something isn't working
design needed
Design details needed to complete the issue
enhancement
New feature or request
Comments
ghsa-retrieval
added
bug
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
When importing a particular SBOM created with cdxgen, the
load_sbompipeline succeeds according to ScanCode.io, but DejaCode reports issues importing the dependencies. The error message states:The 'for_package' cannot be the same as 'resolved_to_package'Repeating the SBOM import causes an additional issue. DejaCode duplicates the number of dependencies, apparently not realizing that these are the same dependencies that have been previously added.
Note: This is the same SBOM as aboutcode-org/scancode.io#1576 where ScanCode reported issues with
create_dependeciesbut the overall pipeline is considered a success.To Reproduce
Not clear yet. Cannot share actual data at the moment. I will see if an MWE can be provided.
If the error provides indication what I should look out for in the SBOM, I might be able to find it quicker.
Expected behavior
The SBOM should be properly loaded and no duplicate dependency entries should be added
Screenshots
Context (OS, Browser, Device, etc.):
n.a.
The text was updated successfully, but these errors were encountered: