This is an automated email from the ASF dual-hosted git repository. asf-gitbox-commits pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/ant-antlibs-cyclonedx.git
commit 7584d45063e32b840c8310f9a757675a06668847 Author: Stefan Bodewig <[email protected]> AuthorDate: Sat May 23 13:32:35 2026 +0200 component bom-refs must be unique --- docs/componentbom.html | 4 +++- .../org/apache/ant/cyclonedx/ComponentBomTask.java | 4 +++- src/tests/antunit/component-test.xml | 20 ++++++++++++++++++++ 3 files changed, 26 insertions(+), 2 deletions(-) diff --git a/docs/componentbom.html b/docs/componentbom.html index df80141..a292e38 100644 --- a/docs/componentbom.html +++ b/docs/componentbom.html @@ -39,7 +39,9 @@ <h2 id="componentbom">componentbom Task</h2> task.</p> <p>It is an error if any component specifies a dependency on a - component that is not part of the generated SBOM.</p> + component that is not part of the generated SBOM. The bom-refs + of the all components inside the same SBOM file must be + unique.</p> <h3>Attributes</h3> diff --git a/src/main/org/apache/ant/cyclonedx/ComponentBomTask.java b/src/main/org/apache/ant/cyclonedx/ComponentBomTask.java index 4c2dacd..62443c3 100644 --- a/src/main/org/apache/ant/cyclonedx/ComponentBomTask.java +++ b/src/main/org/apache/ant/cyclonedx/ComponentBomTask.java @@ -311,7 +311,9 @@ public class ComponentBomTask extends Task { visitAllBomComponents(bom, c -> { String bomRef = c.getBomRef(); if (bomRef != null) { - bomRefs.add(bomRef); + if (!bomRefs.add(bomRef)) { + throw new BuildException("BOM contains multiple components with bom-ref " + bomRef); + } } }); diff --git a/src/tests/antunit/component-test.xml b/src/tests/antunit/component-test.xml index a082ae6..d6e62b3 100644 --- a/src/tests/antunit/component-test.xml +++ b/src/tests/antunit/component-test.xml @@ -43,6 +43,26 @@ </au:expectfailure> </target> + <target name="testComponentBomRefsMustBeUnique"> + <au:expectfailure expectedMessage="BOM contains multiple components with bom-ref 1" + xmlns:au="antlib:org.apache.ant.antunit"> + <cdx:componentbom outputdirectory="${output}" format="xml" + xmlns:cdx="antlib:org.apache.ant.cyclonedx"> + <component name="c1" bomref="1"/> + <additionalComponent name="c2" bomref="1"/> + </cdx:componentbom> + </au:expectfailure> + <au:expectfailure expectedMessage="BOM contains multiple components with bom-ref 1" + xmlns:au="antlib:org.apache.ant.antunit"> + <cdx:componentbom outputdirectory="${output}" format="xml" + xmlns:cdx="antlib:org.apache.ant.cyclonedx"> + <component name="c1" bomref="1"> + <component name="c2" bomref="1"/> + </component> + </cdx:componentbom> + </au:expectfailure> + </target> + <target name="testMinimalComponentData"> <cdx:componentbom outputdirectory="${output}" format="xml" xmlns:cdx="antlib:org.apache.ant.cyclonedx">
