About Data Deduplication in SBOMs for Application Profiles with Linked Projects

Veracode APIs

Publication
Veracode APIs
Edition date
2023-01-27
Last publication
2023-01-27T02:45:54.600583

The Veracode SCA Agent REST API deduplicates data in the software bill of materials (SBOM) when results include findings from both upload scans and agent-based scans. This impacts application profiles that you have linked to agent-based scanning projects.

To avoid generating duplicate data in SBOMs for application profiles, Veracode displays the data in these ways:

  • The metadata property shows the metadata of the application, not the linked projects.
  • The components property includes all unique components from the application and from all linked projects.
  • The dependencies property includes all unique dependencies from the application and from all linked projects.
  • The vulnerabilities property includes all unique vulnerabilities from the application and from all linked projects.
  • If the same component exists in multiple projects, it includes all filepaths of each project.
  • If the same dependency exists in multiple projects, it includes all components on which it depends, collected from different projects in the dependsOn property.
  • If the same vulnerability exists in multiple projects, it includes all components affected by the vulnerability, collected from different projects in the affects property.