CycloneDX · prabhu · Feb 14, 2025 · Feb 13, 2025 · Feb 13, 2025 · Feb 13, 2025
@@ -307,6 +307,11 @@ jobs:
           repository: 'caddyserver/caddy'
           path: 'repotests/caddy'
           ref: 'v2.9.1'
+      - uses: actions/checkout@v4
+        with:
+          repository: 'MaibornWolff/SecObserve'
+          path: 'repotests/SecObserve'
+          ref: 'v1.28.0'
       - uses: dtolnay/rust-toolchain@stable
       - name: setup sdkman
         run: |
@@ -531,13 +536,14 @@ jobs:
         shell: bash
       - name: repotests blint
         run: |
-          bin/cdxgen.js -p -t python repotests/blint -o bomresults/bom-blint.json
+          bin/cdxgen.js -p -t python repotests/blint -o bomresults/bom-blint.json --fail-on-error
           bin/cdxgen.js -p -t python repotests/blint -o bomresults/bom-blint-deep.json --deep
           bin/cdxgen.js -p -t java repotests/broken-mvn-wrapper -o bomresults/bom-broken-mvn-wrapper.json
         shell: bash
       - name: repotests expo
         run: |
           cd repotests/expo-test && npm ci && cd ../..
+          java --version
           GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root                               bin/cdxgen.js -p -t gradle        repotests/expo-test -o bomresults/bom-expo.json
           GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root GRADLE_RESOLVE_FROM_NODE=true bin/cdxgen.js -p -t gradle        repotests/expo-test -o bomresults/bom-expo-npm.json
           GRADLE_ARGS_DEPENDENCIES="--configuration releaseRuntimeClasspath" GRADLE_SKIP_MODULES=root GRADLE_RESOLVE_FROM_NODE=true bin/cdxgen.js -p -t gradle -t npm repotests/expo-test -o bomresults/bom-expo-multi.json
@@ -548,6 +554,10 @@ jobs:
           GRADLE_INCLUDED_BUILDS=:build-conventions,:build-tools,:build-tools-internal bin/cdxgen.js -t gradle repotests/elasticsearch -o bomresults/bom-elasticsearch-with-included-builds.json
           custom-json-diff -i bomresults/bom-elasticsearch.json bomresults/bom-elasticsearch-with-included-builds.json -o bomresults/diff-elasticsearch preset-diff
         shell: bash
+      - name: repotests SecObserve
+        run: |
+          bin/cdxgen.js repotests/SecObserve -o bomresults/bom-SecObserve.json --fail-on-error
+        shell: bash
       - name: jenkins plugins
         run: |
           mkdir -p jenkins

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "11.1.7",
+  "version": "11.1.8",
   "exports": "./lib/cli/index.js",
   "compilerOptions": {
     "lib": ["deno.window"],

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "11.1.7",
+  "version": "11.1.8",
   "exports": "./lib/cli/index.js",
   "include": ["*.js", "lib/**", "bin/**", "data/**", "types/**"],
   "exclude": [

@@ -6724,7 +6724,10 @@ export async function createMultiXBom(pathList, options) {
       parentDependencies["dependsOn"] = [];
     }
     for (const parentSub of parentSubComponents) {
-      parentDependencies["dependsOn"].push(parentSub["bom-ref"]);
+      // Issue: 1622. We might have already captured this parent component dependency
+      if (!parentDependencies["dependsOn"].includes(parentSub["bom-ref"])) {
+        parentDependencies["dependsOn"].push(parentSub["bom-ref"]);
+      }
     }
   }
   // some cleanup, but not complete

@@ -243,11 +243,34 @@ export const validateRefs = (bomJson) => {
       if (!refMap[dep.ref]) {
         warningsList.push(`Invalid ref in dependencies ${dep.ref}`);
       }
+      let parentPurlType;
+      try {
+        const purlObj = PackageURL.fromString(dep.ref);
+        parentPurlType = purlObj.type;
+      } catch (e) {
+        // pass
+      }
       if (dep.dependsOn) {
         for (const don of dep.dependsOn) {
           if (!refMap[don]) {
             warningsList.push(`Invalid ref in dependencies.dependsOn ${don}`);
           }
+          let childPurlType;
+          try {
+            const purlObj = PackageURL.fromString(don);
+            childPurlType = purlObj.type;
+          } catch (e) {
+            // pass
+          }
+          if (
+            parentPurlType &&
+            childPurlType &&
+            parentPurlType !== childPurlType
+          ) {
+            warningsList.push(
+              `The parent package '${dep.ref}' (type ${parentPurlType}) depends on the child package '${don}' (type ${childPurlType}). This is a bug in cdxgen if this project is not a monorepo.`,
+            );
+          }
         }
       }
       if (dep.provides) {

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cdxgen",
-  "version": "11.1.7",
+  "version": "11.1.8",
   "description": "Creates CycloneDX Software Bill of Materials (SBOM) from source or container image",
   "homepage": "http://github.com/cyclonedx/cdxgen",
   "author": "Prabhu Subramanian <prabhu@appthreat.com>",