analyze --multiple-component-versions

[EnDe]

Hi,

in my SBOM file grep finds for example:

% grep minimatch some-sbom.json
      "name": "minimatch",
      "bom-ref": "Dashboard@0.1.0|minimatch@3.1.2",
      "purl": "pkg:npm/minimatch@3.1.2",
...
          "name": "minimatch",
          "bom-ref": "Dashboard@0.1.0|glob@10.3.10|minimatch@9.0.5",
...
          "name": "minimatch",
          "bom-ref": "Dashboard@0.1.0|@typescript-eslint/typescript-estree@8.7.0|minimatch@9.0.5",
...

which shows at least two versions.
But using:

% cyclonedx-linux-x64 --version
0.30.0+d9a47f949b2809ab9275ba339dd8db25138d6ded
% cyclonedx-linux-x64 validate --input-file some-sbom.json
BOM validated successfully.
% cyclonedx-linux-x64 analyze  --input-file some-sbom.json --multiple-component-versions
Analysis results for Dashboard@0.1.0:
BOM Serial Number: urn:uuid:02c728c6-4d1a-40a0-8390-1917dd5c201c
BOM Version: 1
Timestamp: 03.02.2026 13:46:52

Components with multiple versions:

string-width versions: 4.2.3 5.1.2
wrap-ansi versions: 7.0.0 8.1.0

Does not show multiple versions.

What might be the reason for this difference?

Thanks

[andreas-hilti]

Hi @EnDe

Looking at the code here:
https://github.com/CycloneDX/cyclonedx-dotnet-library/blob/main/src/CycloneDX.Utils/MultipleComponentVersions.cs

It seems to loop only over the top level components; in my opinion, it should also descend into nested components.
Do you have nested components? (The fact that you have different indent hints towards this.)

In addition, note that it uses
https://github.com/CycloneDX/cyclonedx-dotnet-library/blob/main/src/CycloneDX.Utils/ComponentAnalysisIdentifier.cs
to match components and that if there are different occurences of a component, but with the same version number, it doesn't report it (https://github.com/CycloneDX/cyclonedx-dotnet-library/blob/e8859a7076763339bd1dc0f5fc1e511dee8ab813/src/CycloneDX.Utils/MultipleComponentVersions.cs#L56).

It would be helpful to have a (minimal) example BOM to reproduce your issue.

[EnDe]

Hi andreas-hilti,

yes, there are different versions in nested components.
And I also expevćt that same version in different level is not reported as multiple ;-)

Here is a small SBOM (omited many properties and the "dependencies" section at end)

{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "version": 1,
  "serialNumber": "urn:uuid:02c728c6-4d1a-40a0-8390-1917dd5c201c",
  "metadata": {
    "timestamp": "2026-02-03T13:46:52.785Z"
  },
  "components": [
    {
      "type": "library",
      "name": "minimatch",
      "version": "3.1.2",
      "bom-ref": "Dashboard@0.1.0|minimatch@3.1.2",
      "externalReferences": [
        {
          "url": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
          "type": "distribution"
        }
      ]
    },
    {
      "type": "library",
      "name": "glob",
      "version": "10.3.10",
      "bom-ref": "Dashboard@0.1.0|glob@10.3.10",
      "externalReferences": [
        {
          "url": "https://registry.npmjs.org/glob/-/glob-10.3.10.tgz",
          "type": "distribution"
        }
      ],
      "components": [
        {
          "type": "library",
          "name": "minimatch",
          "version": "9.0.5",
          "bom-ref": "Dashboard@0.1.0|glob@10.3.10|minimatch@9.0.5",
          "externalReferences": [
            {
              "url": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
              "type": "distribution"
            }
          ]
        }
      ]
    }
  ]
}