Slightly confused by Components #3013

ginwakeup · 2023-09-06T03:21:59Z

ginwakeup
Sep 6, 2023

Hi,

just trying Dependency Track around, but I am a bit confused on how Components work.

I created 2 project Applications and 1 project Library:

The project Library is the python library requests pulled from their GH repository: https://github.com/psf/requests

I've used cyclonedx-bom for Python to generate a SBOM and then I've uploaded it in the requests lib components section:

Now switched to App and App2. For each, I created a Virtual Environment, installed cyclonedx-bom, pip installed requests, generated a SBOM and uploaded it in the same way.

All the components show correctly, but I have a doubt.
Why do requests show 3 times? It's the same version for both Apps, still Dep Track added it for each of them.

If I run a search, this is visible:

Here's one app SBOM file:

<?xml version="1.0" encoding="UTF-8"?>
<bom
	xmlns="http://cyclonedx.org/schema/bom/1.4" version="1" serialNumber="urn:uuid:f8fa013c-b527-4ce6-84bf-10e0a60518ba">
	<metadata>
		<timestamp>2023-09-06T03:01:50.534424+00:00</timestamp>
		<tools>
			<tool>
				<vendor>CycloneDX</vendor>
				<name>cyclonedx-bom</name>
				<version>3.11.2</version>
			</tool>
			<tool>
				<vendor>CycloneDX</vendor>
				<name>cyclonedx-python-lib</name>
				<version>3.1.5</version>
				<externalReferences>
					<reference type="build-system">
						<url>https://github.com/CycloneDX/cyclonedx-python-lib/actions</url>
					</reference>
					<reference type="distribution">
						<url>https://pypi.org/project/cyclonedx-python-lib/</url>
					</reference>
					<reference type="documentation">
						<url>https://cyclonedx.github.io/cyclonedx-python-lib/</url>
					</reference>
					<reference type="issue-tracker">
						<url>https://github.com/CycloneDX/cyclonedx-python-lib/issues</url>
					</reference>
					<reference type="license">
						<url>https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE</url>
					</reference>
					<reference type="release-notes">
						<url>https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md</url>
					</reference>
					<reference type="vcs">
						<url>https://github.com/CycloneDX/cyclonedx-python-lib</url>
					</reference>
					<reference type="website">
						<url>https://cyclonedx.org</url>
					</reference>
				</externalReferences>
			</tool>
		</tools>
	</metadata>
	<components>
		<component type="library" bom-ref="f3dbf022-0f65-421f-a8e8-04893c3dfaa7">
			<author>Kenneth Reitz</author>
			<name>certifi</name>
			<version>2023.7.22</version>
			<licenses>
				<license>
					<name>MPL-2.0</name>
				</license>
				<license>
					<name>Mozilla Public License 2.0 (MPL 2.0)</name>
				</license>
			</licenses>
			<purl>pkg:pypi/[email protected]</purl>
		</component>
		<component type="library" bom-ref="8f489500-7608-4658-921b-f3ec82b42e5d">
			<author>Ahmed TAHRI</author>
			<name>charset-normalizer</name>
			<version>3.2.0</version>
			<licenses>
				<license>
					<name>MIT</name>
				</license>
				<license>
					<name>MIT License</name>
				</license>
			</licenses>
			<purl>pkg:pypi/[email protected]</purl>
		</component>
		<component type="library" bom-ref="2722cae3-5e6f-44a7-9c59-73a7f0a46840">
			<author>Steven Springett</author>
			<name>cyclonedx-bom</name>
			<version>3.11.2</version>
			<licenses>
				<license>
					<name>Apache Software License</name>
				</license>
				<license>
					<name>Apache-2.0</name>
				</license>
			</licenses>
			<purl>pkg:pypi/[email protected]</purl>
		</component>
		<component type="library" bom-ref="7059a956-4796-4419-89aa-2425c1fe0e24">
			<author>Paul Horton</author>
			<name>cyclonedx-python-lib</name>
			<version>3.1.5</version>
			<licenses>
				<license>
					<name>Apache Software License</name>
				</license>
				<license>
					<name>Apache-2.0</name>
				</license>
			</licenses>
			<purl>pkg:pypi/[email protected]</purl>
		</component>
		<component type="library" bom-ref="60352533-51b9-465d-b370-2458b267740c">
			<author>David Goodger</author>
			<name>docutils</name>
			<version>0.20.1</version>
			<licenses>
				<license>
					<name>BSD License</name>
				</license>
				<license>
					<name>GNU General Public License (GPL)</name>
				</license>
				<license>
					<name>Public Domain</name>
				</license>
				<license>
					<name>Python Software Foundation License</name>
				</license>
				<license>
					<name>public domain, Python, 2-Clause BSD, GPL 3 (see COPYING.txt)</name>
				</license>
			</licenses>
			<purl>pkg:pypi/[email protected]</purl>
		</component>
		<component type="library" bom-ref="b2f6bde9-c85d-4abf-83e4-be5d554e6850">
			<name>flit</name>
			<version>3.9.0</version>
			<licenses>
				<license>
					<name>BSD License</name>
				</license>
			</licenses>
			<purl>pkg:pypi/[email protected]</purl>
		</component>
		<component type="library" bom-ref="600f02ce-02e4-47d5-9e67-ae4f46a86ca6">
			<name>flit-core</name>
			<version>3.9.0</version>
			<licenses>
				<license>
					<name>BSD License</name>
				</license>
			</licenses>
			<purl>pkg:pypi/[email protected]</purl>
		</component>
		<component type="library" bom-ref="6b6194ea-3186-437f-9e27-35f532b8d2d5">
			<name>idna</name>
			<version>3.4</version>
			<licenses>
				<license>
					<name>BSD License</name>
				</license>
			</licenses>
			<purl>pkg:pypi/[email protected]</purl>
		</component>
		<component type="library" bom-ref="6a835134-4c57-44b0-80bc-5fbfdab93ae2">
			<author>Travis E. Oliphant et al.</author>
			<name>numpy</name>
			<version>1.25.2</version>
			<licenses>
				<license>
					<name>BSD License</name>
				</license>
				<license>
					<name>BSD-3-Clause</name>
				</license>
			</licenses>
			<purl>pkg:pypi/[email protected]</purl>
		</component>
		<component type="library" bom-ref="231413bb-21d1-4dc1-9c1e-f94de23f5fb3">
			<author>the purl authors</author>
			<name>packageurl-python</name>
			<version>0.11.2</version>
			<licenses>
				<license>
					<name>MIT</name>
				</license>
				<license>
					<name>MIT License</name>
				</license>
			</licenses>
			<purl>pkg:pypi/[email protected]</purl>
		</component>
		<component type="library" bom-ref="04260771-e253-468b-b559-9a7a559f2a1d">
			<name>packaging</name>
			<version>23.1</version>
			<licenses>
				<license>
					<name>Apache Software License</name>
				</license>
				<license>
					<name>BSD License</name>
				</license>
			</licenses>
			<purl>pkg:pypi/[email protected]</purl>
		</component>
		<component type="library" bom-ref="bb804cde-b765-4b33-82ff-67d37ee05228">
			<author>The pip developers</author>
			<name>pip</name>
			<version>22.3.1</version>
			<licenses>
				<license>
					<name>MIT</name>
				</license>
				<license>
					<name>MIT License</name>
				</license>
			</licenses>
			<purl>pkg:pypi/[email protected]</purl>
		</component>
		<component type="library" bom-ref="30d4a66b-9221-4f14-9e89-3e7c001329ac">
			<author>The pip authors, nexB. Inc. and others</author>
			<name>pip-requirements-parser</name>
			<version>32.0.1</version>
			<licenses>
				<license>
					<name>MIT</name>
				</license>
			</licenses>
			<purl>pkg:pypi/[email protected]</purl>
		</component>
		<component type="library" bom-ref="67a15cf5-bb74-41dd-ba1c-306be5ed0af3">
			<name>pyparsing</name>
			<version>3.1.1</version>
			<licenses>
				<license>
					<name>MIT License</name>
				</license>
			</licenses>
			<purl>pkg:pypi/[email protected]</purl>
		</component>
		<component type="library" bom-ref="f08f53c9-420f-453f-9045-34a875ffa1a1">
			<author>Kenneth Reitz</author>
			<name>requests</name>
			<version>2.31.0</version>
			<licenses>
				<license>
					<name>Apache 2.0</name>
				</license>
				<license>
					<name>Apache Software License</name>
				</license>
			</licenses>
			<purl>pkg:pypi/[email protected]</purl>
		</component>
		<component type="library" bom-ref="361a0bcc-96ef-4aa4-87e1-c2b882d5a18d">
			<author>Python Packaging Authority</author>
			<name>setuptools</name>
			<version>65.5.1</version>
			<licenses>
				<license>
					<name>MIT License</name>
				</license>
			</licenses>
			<purl>pkg:pypi/[email protected]</purl>
		</component>
		<component type="library" bom-ref="e809eae7-ce02-400e-81fa-95981b787423">
			<author>Grant Jenks</author>
			<name>sortedcontainers</name>
			<version>2.4.0</version>
			<licenses>
				<license>
					<name>Apache 2.0</name>
				</license>
				<license>
					<name>Apache Software License</name>
				</license>
			</licenses>
			<purl>pkg:pypi/[email protected]</purl>
		</component>
		<component type="library" bom-ref="d74de657-0f9f-466a-a31f-2bc8f5da66fc">
			<author>William Pearson</author>
			<name>toml</name>
			<version>0.10.2</version>
			<licenses>
				<license>
					<name>MIT</name>
				</license>
				<license>
					<name>MIT License</name>
				</license>
			</licenses>
			<purl>pkg:pypi/[email protected]</purl>
		</component>
		<component type="library" bom-ref="20a43e87-1b99-494c-ad7b-90463983ba4f">
			<name>tomli-w</name>
			<version>1.0.0</version>
			<licenses>
				<license>
					<name>MIT License</name>
				</license>
			</licenses>
			<purl>pkg:pypi/[email protected]</purl>
		</component>
		<component type="library" bom-ref="7bcddf7d-0b87-4887-9817-f44ccab78608">
			<name>urllib3</name>
			<version>2.0.4</version>
			<licenses>
				<license>
					<name>MIT License</name>
				</license>
			</licenses>
			<purl>pkg:pypi/[email protected]</purl>
		</component>
		<component type="library" bom-ref="92059c0f-0221-4a21-9dd7-07f062a66d47">
			<author>Daniel Holth</author>
			<name>wheel</name>
			<version>0.38.4</version>
			<licenses>
				<license>
					<name>MIT</name>
				</license>
				<license>
					<name>MIT License</name>
				</license>
			</licenses>
			<purl>pkg:pypi/[email protected]</purl>
		</component>
	</components>
	<dependencies>
		<dependency ref="f3dbf022-0f65-421f-a8e8-04893c3dfaa7" />
		<dependency ref="8f489500-7608-4658-921b-f3ec82b42e5d" />
		<dependency ref="2722cae3-5e6f-44a7-9c59-73a7f0a46840" />
		<dependency ref="7059a956-4796-4419-89aa-2425c1fe0e24" />
		<dependency ref="60352533-51b9-465d-b370-2458b267740c" />
		<dependency ref="b2f6bde9-c85d-4abf-83e4-be5d554e6850" />
		<dependency ref="600f02ce-02e4-47d5-9e67-ae4f46a86ca6" />
		<dependency ref="6b6194ea-3186-437f-9e27-35f532b8d2d5" />
		<dependency ref="6a835134-4c57-44b0-80bc-5fbfdab93ae2" />
		<dependency ref="231413bb-21d1-4dc1-9c1e-f94de23f5fb3" />
		<dependency ref="04260771-e253-468b-b559-9a7a559f2a1d" />
		<dependency ref="bb804cde-b765-4b33-82ff-67d37ee05228" />
		<dependency ref="30d4a66b-9221-4f14-9e89-3e7c001329ac" />
		<dependency ref="67a15cf5-bb74-41dd-ba1c-306be5ed0af3" />
		<dependency ref="f08f53c9-420f-453f-9045-34a875ffa1a1" />
		<dependency ref="361a0bcc-96ef-4aa4-87e1-c2b882d5a18d" />
		<dependency ref="e809eae7-ce02-400e-81fa-95981b787423" />
		<dependency ref="d74de657-0f9f-466a-a31f-2bc8f5da66fc" />
		<dependency ref="20a43e87-1b99-494c-ad7b-90463983ba4f" />
		<dependency ref="7bcddf7d-0b87-4887-9817-f44ccab78608" />
		<dependency ref="92059c0f-0221-4a21-9dd7-07f062a66d47" />
	</dependencies>
</bom>

Shouldn't there be only one requests library component which is linked to multiple Project Apps? Or am I missing how this works?
I would understand if one Component per version would be created, but why are there multiple for the same version?

Thanks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Slightly confused by Components #3013

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 0 comments

Select a reply

Slightly confused by Components #3013

ginwakeup Sep 6, 2023

Replies: 0 comments

ginwakeup
Sep 6, 2023