Remove components with empty names or duplicate entries from Trivy CycloneDX SBOMs
Why are we doing this work
Trivy 0.51.0
can produce SBOMs with duplicate component entries or components with empty names.
In both situations, this breaks SBOM ingestion because all componens must be:
- Unique
- Have a non-empty name
To work around the current limitation, we should filter out non-unique components, and any components with an empty name.
Relevant links
- Discussion on non-unique components
- Discussion on components with empty names
- Relates to Investigate empty component names generated by ... (#461094 - closed) • Oscar Tovar • 17.2
Implementation plan
TODO
Verification steps
- Build container-scanning image with version 0.51.0 or 0.51.1 of Trivy
- Run a scan on
golang:1.22
and inspect the resulting SBOM. There should not be any components with an empty name, or duplicatestdlib
components. Uniqueness is dependent on the Trivy type, name, and version.
Edited by Oscar Tovar