The Veracode SCA Agent REST API deduplicates data in the software bill of materials (SBOM) when results include findings from both upload scans and agent-based scans. This impacts application profiles that you have linked to agent-based scanning projects.
To avoid generating duplicate data in SBOMs for application profiles, Veracode displays the data in these ways:
- The
metadata
property shows the metadata of the application, not the linked projects. - The
components
property includes all unique components from the application and from all linked projects. - The
dependencies
property includes all unique dependencies from the application and from all linked projects. - The
vulnerabilities
property includes all unique vulnerabilities from the application and from all linked projects. - If the same component exists in multiple projects, it includes all filepaths of each project.
- If the same dependency exists in multiple projects, it includes all components on which it depends, collected from different projects in the
dependsOn
property. - If the same vulnerability exists in multiple projects, it includes all components affected by the vulnerability, collected from different projects in the
affects
property.