Skip to content

fix(merge): preserve dependency graphs so the merged BOM stays conformant#164

Merged
haksungjang merged 1 commit into
mainfrom
fix/merge-preserve-dependencies
Jun 17, 2026
Merged

fix(merge): preserve dependency graphs so the merged BOM stays conformant#164
haksungjang merged 1 commit into
mainfrom
fix/merge-preserve-dependencies

Conversation

@haksungjang

@haksungjang haksungjang commented Jun 17, 2026

Copy link
Copy Markdown
Member

문제

--merge가 층별 dependencies 트리를 버려, 병합된 서버 BOM은 dependency 엣지가 0이 되어 validate-sbom.sh(=SKT가 돌리는 적합성 검증)의 필수 항목 transitive(전이 의존성) 에서 실패했습니다. 층별 SBOM은 통과하지만, DT/TRUSCA가 요구하는 병합 단일 BOM이 떨어져 병합의 의미가 사라집니다.

수정

병합 시 각 층의 의존성 그래프도 합칩니다(입력별 .dependencies 수집 → ref 기준 엣지 union, ARG_MAX 안전한 임시 파일 사용). 생태계가 달라 bom-ref 충돌은 드물고, 같은 ref는 dependsOn을 합칩니다.

검증 (실측)

오버레이 이미지로 end-to-end: 실제 UBI9 rootfs OS층(326 엣지) + 앱층(3 엣지) → 병합 329 엣지, validate-sbom.sh result=pass(7개 필수 전부, 이전엔 transitive=fail). server-delivery 가이드의 '병합은 dependencies를 버린다' 문구도 갱신.

@haksungjang
fix(merge): preserve dependency graphs so the merged BOM stays confor…
f9e8c7a 
…mant

--merge dropped the per-layer `dependencies` trees, so a merged server
BOM had zero dependency edges and failed the mandatory "transitive
dependencies" check in validate-sbom.sh — the same check SKT runs. The
per-layer SBOMs passed, but the merged single BOM that DT/TRUSCA expects
did not, which defeated the point of merging.

Merge the per-layer dependency graphs too: collect each input's
`.dependencies`, union edges by ref (ARG_MAX-safe temp files), and emit
them in the merged BOM. Cross-ecosystem bom-refs rarely collide; identical
refs have their dependsOn lists unioned.

Verified end-to-end with an overlay image: a real UBI9 rootfs OS layer
(326 edges) + an application layer (3 edges) now merge to 329 edges, and
validate-sbom.sh reports result=pass on all seven mandatory checks
(previously transitive=fail). Update the server-delivery guide wording,
which had described the merge as dropping dependencies.
@haksungjang haksungjang merged commit 92ab9ff into main Jun 17, 2026
24 checks passed
@haksungjang haksungjang deleted the fix/merge-preserve-dependencies branch June 17, 2026 07:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@haksungjang