About data deduplication in SBOMs for application profiles with linked projects
The SCA REST API deduplicates data in the software bill of materials (SBOM) when results include findings from both upload scans and agent-based scans. This impacts application profiles that you have linked to agent-based scanning projects.
To avoid generating duplicate data in SBOMs for application profiles, Veracode displays the data in these ways:
- The
metadataproperty shows the metadata of the application, not the linked projects. - The
componentsproperty includes all unique components from the application and from all linked projects. - The
dependenciesproperty includes all unique dependencies from the application and from all linked projects. - The
vulnerabilitiesproperty includes all unique vulnerabilities from the application and from all linked projects. - If the same component exists in multiple projects, it includes all filepaths of each project.
- If the same dependency exists in multiple projects, it includes all components on which it depends, collected from different projects in the
dependsOnproperty. - If the same vulnerability exists in multiple projects, it includes all components affected by the vulnerability, collected from different projects in the
affectsproperty.