Current Behavior

When uploading a BOM, components are merged based on their identity as defined here. Broadly speaking, if there are multiple components in the BOM with the same ID fields (PURL, CPE, name, version, etc), only one of them will be saved in the database.

Proposed Behavior

Some BOMs contain multiple components with the same identity, but differing properties for these components. The BOM may contain components from many different projects, some of which might include the same dependencies.

In this scenario we don't just want to know that we depend on component A, or that component A has a vulnerability - we want to know which projects depend on A. We can only easily do that if every component is present in Dependency-Track as it is in the BOM.

Somehow we would like to be able to upload a BOM, and know that after the upload, the project in Dependency-Track will exactly mirror the contents of the BOM. Options include:

1. Change the existing identity check to use full equality. This will presumably break some use cases that depend on the existing identity-based merging? (I'm not sure what these use cases are)
2. Add an option to use equality when uploading a BOM. This feels complex - the behaviour of a project could vary over time unexpectedly.
3. Add an option to a project, so it can be configured to use strict component equality
   a. a new flag at the project level (like the "active" toggle)
   b. define a special property and use that, e.g. dependency-track / component-merge / strict
4. Make the behaviour configurable instance-wide in the settings.

Option 3a seems like a reasonable solution to me?

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this enhancement was already requested