both the hierarchical and non-hierarchical merge commands only concatenate the vulnerabilities array. My expectation is that entries with the same id are merged. This would be especially useful to be able to add analysis sections.
Steps to reproduce
cyclonedx merge --input-files a.cdx.json b.cdx.json --output-format json
Where a.cdx.json is:
{
"$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.7",
"vulnerabilities": [
{
"id": "CVE-2014-0160",
"description": "Heartbleed"
}
]
}and b.cdx.json is:
{
"$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.7",
"vulnerabilities": [
{
"id": "CVE-2014-0160",
"analysis": {
"state": "not_affected",
"justification": "code_not_reachable"
}
}
]
}Results in:
{
"bomFormat": "CycloneDX",
"specVersion": "1.7",
"serialNumber": "urn:uuid:f9907614-f247-4a1d-8d33-944766a468f9",
"version": 1,
"metadata": {
"timestamp": "2026-04-14T14:32:11Z"
},
"vulnerabilities": [
{
"id": "CVE-2014-0160",
"description": "Heartbleed"
},
{
"id": "CVE-2014-0160",
"analysis": {
"state": "not_affected",
"justification": "code_not_reachable"
}
}
]
}but expected would be:
{
"bomFormat": "CycloneDX",
"specVersion": "1.7",
"serialNumber": "urn:uuid:f9907614-f247-4a1d-8d33-944766a468f9",
"version": 1,
"metadata": {
"timestamp": "2026-04-14T14:32:11Z"
},
"vulnerabilities": [
{
"id": "CVE-2014-0160",
"description": "Heartbleed",
"analysis": {
"state": "not_affected",
"justification": "code_not_reachable"
}
}
]
}
both the hierarchical and non-hierarchical merge commands only concatenate the
vulnerabilitiesarray. My expectation is that entries with the sameidare merged. This would be especially useful to be able to addanalysissections.Steps to reproduce
Where
a.cdx.jsonis:{ "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.7", "vulnerabilities": [ { "id": "CVE-2014-0160", "description": "Heartbleed" } ] }and
b.cdx.jsonis:{ "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.7", "vulnerabilities": [ { "id": "CVE-2014-0160", "analysis": { "state": "not_affected", "justification": "code_not_reachable" } } ] }Results in:
{ "bomFormat": "CycloneDX", "specVersion": "1.7", "serialNumber": "urn:uuid:f9907614-f247-4a1d-8d33-944766a468f9", "version": 1, "metadata": { "timestamp": "2026-04-14T14:32:11Z" }, "vulnerabilities": [ { "id": "CVE-2014-0160", "description": "Heartbleed" }, { "id": "CVE-2014-0160", "analysis": { "state": "not_affected", "justification": "code_not_reachable" } } ] }but expected would be:
{ "bomFormat": "CycloneDX", "specVersion": "1.7", "serialNumber": "urn:uuid:f9907614-f247-4a1d-8d33-944766a468f9", "version": 1, "metadata": { "timestamp": "2026-04-14T14:32:11Z" }, "vulnerabilities": [ { "id": "CVE-2014-0160", "description": "Heartbleed", "analysis": { "state": "not_affected", "justification": "code_not_reachable" } } ] }