I would like the CycloneDX components to be sorted by bom-ref

[trevor-vaughan]

Description

When attempting to do a few simple checks in a CI pipeline, I needed to diff a CycloneDX JSON file between a new and old commit.

I discovered that a simple diff (ignoring timestamp and global UUID changes) would not work since the components are not sorted consistently at each run.

While this is straightforward to work around, it would be great to have sorted output for quick checks.

Target

Filesystem

Scanner

None

[knqyf263]

Interesting. We do sort components. Could you try the latest version?

trivy/pkg/sbom/cyclonedx/core/cyclonedx.go

Lines 206 to 208 in 7d48c5d

	sort.Slice(components, func(i, j int) bool {
	return components[i].BOMRef < components[j].BOMRef
	})

[knqyf263]

It is not a sorting issue. BOM-Ref is UUID, which cannot be consistent.

[trevor-vaughan]

@knqyf263 Ah, yes. Apparently reading is hard 🤦.

Appreciate the second set of eyes.

[trevor-vaughan]

Actually, wait. Why is bom-ref a UUID?

I get that it needs to be unique, but wouldn't it be better to make it a hash of the target if possible so that you could determine at a later date if the read artifact differs?

[trevor-vaughan]

Eh, I guess that would be more of a "convenience" feature than anything. Going ahead and closing the discussion as outdated.

[knqyf263]

I have no idea why they chose UUID.

The only requirement for bom-ref is that it is unique within the BOM. Package URL (PURL) is an ideal choice for bom-ref as it will be both unique and readable. If PURL is not an option or not all components represented in the BOM contain a PURL, then UUID is recommended.

https://cyclonedx.org/use-cases/#dependency-graph

You can propose your idea to CycloneDX.