Handle invalid SBOMs with duplicate components

twwd · twwd · commit 911db6eec691 · 2025-04-04T14:32:40.000+02:00
diff --git a/src/lib/transformations/graph.ts b/src/lib/transformations/graph.ts
@@ -32,8 +32,15 @@ function addEdges(graph: Graph, dependencies: Dependency[] | undefined): void {
 }
 
 function addRoot(graph: Graph, component: Component | undefined): void {
-	if (component) {
-		graph.addNode(component['bom-ref'], { label: component.name });
+	if (component && component['bom-ref']) {
+		const ref = component['bom-ref'];
+		if (!graph.hasNode(ref)) {
+			graph.addNode(component['bom-ref'], { label: component.name });
+		} else {
+			console.warn(
+				`Component with duplicate bom-ref ${ref} detected. This is not a valid CycloneDX BOM.`
+			);
+		}
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -32,8 +32,15 @@ function addEdges(graph: Graph, dependencies: Dependency[] \| undefined): void {`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`function addRoot(graph: Graph, component: Component \| undefined): void {`
`35`		`- if (component) {`
`36`		`- graph.addNode(component['bom-ref'], { label: component.name });`
	`35`	`+ if (component && component['bom-ref']) {`
	`36`	`+ const ref = component['bom-ref'];`
	`37`	`+ if (!graph.hasNode(ref)) {`
	`38`	`+ graph.addNode(component['bom-ref'], { label: component.name });`
	`39`	`+ } else {`
	`40`	`+ console.warn(`
	`41`	+ `Component with duplicate bom-ref ${ref} detected. This is not a valid CycloneDX BOM.`
	`42`	`+ );`
	`43`	`+ }`
`37`	`44`	`}`
`38`	`45`	`}`
`39`	`46`