Skip to content

fix(sbom): escape dots in spdx ids to avoid component collisions#9704

Open
ubeddulla wants to merge 1 commit into
npm:latestfrom
ubeddulla:sbom-spdx-id-collision
Open

fix(sbom): escape dots in spdx ids to avoid component collisions#9704
ubeddulla wants to merge 1 commit into
npm:latestfrom
ubeddulla:sbom-spdx-id-collision

Conversation

@ubeddulla

Copy link
Copy Markdown
Contributor

toSpdxID strips a scoped package's leading @ and turns / into ., so @a/b and an unscoped a.b both produce SPDXRef-Package-a.b-1.0.0. spdxOutput dedupes components by that identifier, so two distinct installed packages collapse into one and a real component silently disappears from the generated SBOM, which can hide a dependency from anything that audits the SBOM. Escaping literal dots before the slash mapping keeps the identifiers distinct; CycloneDX already records the full name@version and isn't affected.

@ubeddulla ubeddulla requested review from a team as code owners June 30, 2026 10:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant