Erroneous Validation ("duplicate component-references")

[ccwienk]

What happened

component-cli:v0.47.0 erroneously claimed that a Component-Descriptor w/ multiple component-references of same name, and to same component (of pairwise different versions, of course) contained duplicate component-references.

Since there seems to be no option to shortcut valiation, errors, I had to create a hotfix version v.0.48.0 of component-cli that shortcut removed the erroneous validation.

What you expected to happen

No validation error should have happened, as the component-descriptor was / is correct according to OCM (fka CNUDIE) spec v2.

Note that this behaviour was shown upon resolving the transitive closure of component references. Thus, the - supposedly - invalid component-descriptor was already released; so was a component-descriptor referencing it.

If at all, such strict validation ought to be done prior to releasing. Not when consuming something that was already released (unless fatally broken, e.g. having a syntax-error).

How to reproduce it (as minimally and precisely as possible)

Add references to two or more versions of the same component to the same component-descriptor (using the same reference-name, not adding extra-id-attibutes. Use component-cli to validate it (I "tested" this using the component-cli component-archive signatures verify command. However, I assume validation should also be done if using different commands.

[In-Ko]

Hey @enrico-kaack-comp , just assigned you to this task, as a second stakeholder now faced this issue. So this issue should be looked into rather soon, and see if we should fix something or not do this verification at all.