Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix metadata tools components #304

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

andreas-hilti
Copy link
Contributor

@andreas-hilti andreas-hilti commented Jun 1, 2024

Helps to address: CycloneDX/cyclonedx-cli#371

Signed-off-by: andreas hilti <andreas.hilti@bluewin.ch>
@andreas-hilti andreas-hilti force-pushed the ahiltebr/fix_metadata_tools_components branch from 40735fb to 59a2da3 Compare June 1, 2024 15:09
@@ -230,6 +236,22 @@ public static Bom HierarchicalMerge(IEnumerable<Bom> boms, Component bomSubject)
{
result.Metadata.Tools.Tools.AddRange(bom.Metadata.Tools.Tools);
}
if (bom.Metadata?.Tools?.Components?.Count > 0)
Copy link
Contributor Author

@andreas-hilti andreas-hilti Jun 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How should components/services in the tools be handled for a hierarchical merge?
Should they be flat merged or namespaced?
(At the moment, I just append, which can lead to duplicates.)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to make sure: What exactly do you mean by "namespaced"?

Copy link
Contributor Author

@andreas-hilti andreas-hilti Jun 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What I mean is the following:
Let's say you have this tool in both BOMs that you merge:

{
      "bom-ref":"tool1",
      "type": "application",
      "name": "tool1",
      "version": "1"
}

What should be the resulting tools?
What I meant with "flat merge" is: there would be a single tool exactly as above.
What I meant with "namespaced" is: there would be two tools, one with a bom-ref "thing1@tool1" and the other with "thing2@tool1" (if thing1 and thing2 are the main components of the two merged BOMs).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(The problem with the flat merge is that if two different tools happen to use the same bom-ref, this will invalidate the uniqueness of the bom-ref in the merged BOM.)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I understand it, the components themselves are also namespaces in hierarchical merges, so it makes only sense to apply the same logic to tool-components.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have adapted it.

@andreas-hilti
Copy link
Contributor Author

Compare also #280.

@mtsfoni mtsfoni added this to the 7.1.0 milestone Jun 23, 2024
Signed-off-by: andreas hilti <andreas.hilti@bluewin.ch>
Signed-off-by: andreas hilti <andreas.hilti@bluewin.ch>
Signed-off-by: andreas hilti <andreas.hilti@bluewin.ch>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants