Merging SBOMs with overlap in their dependencies results in duplicates

[RuudMeeuwsen]

I generated SBOMs for a frontend and a backend application container image.
Dependencies that exist in both images have the same SPDXID assigned by the tool in each SBOM file.
As I would like to have a single SBOM, I tried to merge these SBOM files using the deep merge feature.
This results in the new SBOM file containing two instances of these dependencies with the same SPDXID.
Should duplicate entries not have been mergen into a single unique entry?

[Potafe]

Thanks for raising this!

Yes, for SBOM files that you intend to merge, each document must use unique SPDXIDs, even if the underlying component metadata is identical. While the component information may match, the SPDXID values themselves serve as unique identifiers within a single SBOM.

The current deep‑merge behavior works through a straightforward concatenation mechanism. That means it simply appends all components from both SBOMs into the output file. Because of this, if both input SBOMs contain components with the same SPDXID, the merged result will include duplicate entries with identical SPDXIDs, exactly as you observed.

To avoid this, the upstream SBOMs should assign distinct SPDXIDs before merging. Once unique IDs are present, the merge process will work as expected without creating conflicts.

Hope this clarifies things.