Fix deterministic ordering for multiple package versions with lockfiles by piloulacdog · Pull Request #99 · DataDog/datadog-sbom-generator

piloulacdog · 2026-01-22T17:31:29Z

🚀 Motivation

Identified an issue when running consistency check for our running on a nuget package: https://github.com/DataDog/software-composition-analysis-test/actions/runs/21254063506

When NuGet projects use lockfiles with multiple target frameworks that reference different versions of the same package, the SBOM generator was producing non-deterministic results. This occurred because the package matching logic used only package names as keys, causing unpredictable behavior when multiple versions existed. This non-determinism makes SBOMs unreliable and difficult to compare across builds.

The fix ensures that when the same package+version appears multiple times (e.g., in different conditional ItemGroups), we consistently pick the first occurrence by line number, making the output deterministic and reproducible.

🧪 Testing

New tests were added for new logic.
Existing tests were updated for new logic, and not only so that they pass!
Benchmark results prove that performance is the same or better.

github-actions · 2026-01-22T17:43:57Z

Go test coverage report

Total test coverage: 90.5% (4352/4807)

Test coverage has changed in the current files, with 1 lines missing coverage.
file: uncovered: current coverage: base coverage:
pkg/lockfile/dotnet/match-nuget-csproj.go 1 97.1% (33/34) 91.3% (21/23)

pkg/lockfile/dotnet/parse-nuget-csproj.go

pkg/lockfile/dotnet/match-nuget-csproj.go

piloulacdog added 4 commits January 22, 2026 18:03

test: create multiple versions with lockfile fixture

9b84175

test: create tests for multiple versions with lockfile

7a2550a

fix: multiple versions with lockfile and target framework

8068eb2

tests: fix TestMultipleVersionsNonDeterministicOrder wrong location file

d6f62fa

piloulacdog marked this pull request as ready for review January 22, 2026 17:36

piloulacdog requested a review from a team as a code owner January 22, 2026 17:36

rjcoulter22 reviewed Jan 22, 2026

View reviewed changes

pkg/lockfile/dotnet/parse-nuget-csproj.go Show resolved Hide resolved

pkg/lockfile/dotnet/match-nuget-csproj.go Outdated Show resolved Hide resolved

pkg/lockfile/dotnet/match-nuget-csproj.go Outdated Show resolved Hide resolved

refactor: Match in for nuget-csproj

9991fca

rjcoulter22 self-requested a review January 23, 2026 16:48

rjcoulter22 approved these changes Jan 23, 2026

View reviewed changes

piloulacdog merged commit c3b017e into main Jan 23, 2026
10 checks passed

piloulacdog deleted the pierrelouis.lacorte/fix-deterministic-order branch January 23, 2026 16:49

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix deterministic ordering for multiple package versions with lockfiles#99

Fix deterministic ordering for multiple package versions with lockfiles#99
piloulacdog merged 5 commits intomainfrom
pierrelouis.lacorte/fix-deterministic-order

piloulacdog commented Jan 22, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Jan 22, 2026 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

piloulacdog commented Jan 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🚀 Motivation

🧪 Testing

Uh oh!

github-actions bot commented Jan 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Go test coverage report

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

piloulacdog commented Jan 22, 2026 •

edited

Loading

github-actions bot commented Jan 22, 2026 •

edited

Loading