Skip to content

fix(sbom): escape dots in spdx ids to avoid component collisions#9704

Open
ubeddulla wants to merge 1 commit into
npm:latestfrom
ubeddulla:sbom-spdx-id-collision
Open

fix(sbom): escape dots in spdx ids to avoid component collisions#9704
ubeddulla wants to merge 1 commit into
npm:latestfrom
ubeddulla:sbom-spdx-id-collision

Conversation

@ubeddulla

Copy link
Copy Markdown
Contributor

toSpdxID strips a scoped package's leading @ and turns / into ., so @a/b and an unscoped a.b both produce SPDXRef-Package-a.b-1.0.0. spdxOutput dedupes components by that identifier, so two distinct installed packages collapse into one and a real component silently disappears from the generated SBOM, which can hide a dependency from anything that audits the SBOM. Escaping literal dots before the slash mapping keeps the identifiers distinct; CycloneDX already records the full name@version and isn't affected.

@ubeddulla ubeddulla requested review from a team as code owners June 30, 2026 10:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant