Skip to content

[BUG] rootComponentName does not override root component but adds a new one #1418

New issue
New issue
Open
Bug
#1421
Open
[BUG] rootComponentName does not override root component but adds a new one#1418
Bug
#1421
Labels
bugSomething isn't workinghelp wantedExtra attention is needed
@max619

Description

@max619
max619
opened on Aug 7, 2025

Describe the bug

If rootComponentAutodetect turned off and rootComponentName is set, new root "dangling" component is created, rather then default being overwritten.

I'm not sure, maybe it is an intended behaviour, but for me it doesn't make sense because renaming the root component results in it basically being orphaned.

To Reproduce

new CycloneDxWebpackPlugin({
            outputLocation: `sbom`,
            rootComponentAutodetect: false,
            rootComponentName: 'custom-component-name',
            rootComponentVersion: '1.0.0'
        })

Generating a SBOM with the config above will result in following file:

<bom xmlns="http://cyclonedx.org/schema/bom/1.6" version="1" serialNumber="urn:uuid:97d6a1eb-a46c-4ae0-b6a5-f813837a488c">
  <metadata>
    <!-- ... -->
    <component type="application" bom-ref="pkg:npm/[email protected]">
      <name>custom-component-name</name>
      <version>1.0.0</version>
      <purl>pkg:npm/[email protected]</purl>
    </component>
  </metadata>
  <components>
    <component type="library" bom-ref="pkg:npm/[email protected]">
      <name>original-component-name</name>
      <version>0.0.1</version>
      <purl>pkg:npm/[email protected]</purl>
    </component>
    <!-- ... -->
  </components>
  <dependencies>
    <dependency ref="pkg:npm/[email protected]"/>
    <dependency ref="pkg:npm/[email protected]">
      <!-- ... -->
    </dependency>
  </dependencies>

Expected behavior

If would have expected complete renaming of original component to a new one and no behaviour change. Like this:

<bom xmlns="http://cyclonedx.org/schema/bom/1.6" version="1" serialNumber="urn:uuid:97d6a1eb-a46c-4ae0-b6a5-f813837a488c">
  <metadata>
    <!-- ... -->
    <component type="application" bom-ref="pkg:npm/[email protected]">
      <name>custom-component-name</name>
      <version>1.0.0</version>
      <purl>pkg:npm/[email protected]</purl>
    </component>
  </metadata>
  <components>
    <!-- ... -->
  </components>
  <dependencies>
    <dependency ref="pkg:npm/[email protected]">
      <!-- ... -->
    </dependency>
  </dependencies>

The same issue happens for json format.

Environment

  • @cyclonedx/webpack-plugin version: 5.1.0
  • webpack version: 5.101.0
  • Node version: v20.18.2
  • OS: macOS

Contribution

  • I am willing to provide a fix
  • I will wait until somebody else fixes it

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workinghelp wantedExtra attention is needed

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions