The Veracode SCA Agent REST API deduplicates data in the software bill of materials (SBOM) when results include findings from both upload scans and agent-based scans. This impacts application profiles that you have linked to agent-based scanning projects.
To avoid generating duplicate data in SBOMs for application profiles, Veracode displays the data in these ways:
- The
metadataproperty shows the metadata of the application, not the linked projects. - The
componentsproperty includes all unique components from the application and from all linked projects. - The
dependenciesproperty includes all unique dependencies from the application and from all linked projects. - The
vulnerabilitiesproperty includes all unique vulnerabilities from the application and from all linked projects. - If the same component exists in multiple projects, it includes all filepaths of each project.
- If the same dependency exists in multiple projects, it includes all components on which it depends, collected from different projects in the
dependsOnproperty. - If the same vulnerability exists in multiple projects, it includes all components affected by the vulnerability, collected from different projects in the
affectsproperty.