Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Serialization of nested Components with Dependencies drops transitive dependencies #328

Closed
schlenk opened this issue Jan 4, 2023 · 4 comments · Fixed by #329
Closed

Serialization of nested Components with Dependencies drops transitive dependencies #328

schlenk opened this issue Jan 4, 2023 · 4 comments · Fixed by #329
Assignees
@jkowalleck
Labels
bug Something isn't working

Comments

@schlenk
Copy link
Contributor

schlenk commented Jan 4, 2023

I am not sure if this is a bug or just a misunderstanding how Component nesting and Dependencies interact.

I have a nested BOM with multiple components that also declare dependencies between each other along the nesting hierarchy, like in the code below. An example of such a structure would be some framework with multiple applications that have dependencies on a bunch of 3rd party libraries.

from cyclonedx.model.bom import Bom
from cyclonedx.model.component import Component
from cyclonedx.output import get_instance, OutputFormat, SchemaVersion

bom = Bom()

a = Component(name='A', version='0.1')
b = Component(name='B', version='1.0')
c = Component(name='C', version='1.0')

# Make a tree of components A -> B -> C
b.components = [c]
a.components = [b]

# Declare dependencies the same way
b.dependencies = [c.bom_ref]
a.dependencies = [b.bom_ref]

bom.components = [a]

inst = get_instance(
    bom=bom,
    output_format=OutputFormat["XML"],
    schema_version=SchemaVersion["V1_4"],
)
inst.output_to_file("bom.xml")

This results in the following XML output (for components and dependencies):

<components>
    <component type="library" bom-ref="94768548-3a6b-4bb4-a3c2-db26327b0439">
        <name>A</name>
        <version>0.1</version>
        <components>
            <component type="library" bom-ref="285caf07-c4f6-4652-ae7d-39bc53b3a10c">
                <name>B</name>
                <version>1.0</version>
                <components>
                    <component type="library" bom-ref="742e60fa-19f5-4dff-ac94-69c5d9a28e91">
                        <name>C</name>
                        <version>1.0</version>
                    </component>
                </components>
            </component>
        </components>
    </component>
</components>
<dependencies>
    <dependency ref="94768548-3a6b-4bb4-a3c2-db26327b0439">
        <dependency ref="285caf07-c4f6-4652-ae7d-39bc53b3a10c" />
    </dependency>
</dependencies>

The dependency of B on C is dropped in the serialization.
I would have expected the serialization to preserve the dependencies of the nested components as well.
@schlenk
Copy link
Contributor Author

schlenk commented Jan 4, 2023
edited
Loading

Looking at the dependency graph example at: https://cyclonedx.org/use-cases/#dependency-graph i would expect a flattend 1 node deep serialization like this:

<dependencies>
    <dependency ref="94768548-3a6b-4bb4-a3c2-db26327b0439">
        <dependency ref="285caf07-c4f6-4652-ae7d-39bc53b3a10c" />
    </dependency>
    <dependency ref="285caf07-c4f6-4652-ae7d-39bc53b3a10c">
        <dependency ref="742e60fa-19f5-4dff-ac94-69c5d9a28e91" />
    </dependency>
</dependencies>

The reason is probably that

cyclonedx-python-lib/cyclonedx/output/xml.py

Line 114 in 539b57a

dep_components: Iterable[Component] = bom.components
is not iterating over the whole tree of components but only over the toplevel components. It should traverse the whole tree of nested components.

@jkowalleck
Copy link
Member

I remember we had this bug before, and it was supposed to be fixed.
Will check if we have a regression test for it. If not, I will create one.
Will check if this is reproducible and fixable.

@jkowalleck jkowalleck self-assigned this Jan 6, 2023
jkowalleck added a commit that referenced this issue Jan 6, 2023
@jkowalleck
tests: regression tests for issue #328
8bdefe3 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck jkowalleck mentioned this issue Jan 6, 2023
Merged
2 tasks
jkowalleck added a commit that referenced this issue Jan 6, 2023
@jkowalleck
tests: regression tests for issue #328
df4dd3b 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
jkowalleck added a commit that referenced this issue Jan 6, 2023
@jkowalleck
tests: regression tests for issue #328
b2b412a 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
jkowalleck added a commit that referenced this issue Jan 6, 2023
@jkowalleck
tests: regression tests for issue #328
2c8c855 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
jkowalleck added a commit that referenced this issue Jan 6, 2023
@jkowalleck
tests: regression tests for issue #328
6d16afc 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck jkowalleck mentioned this issue Jan 6, 2023
Closed
@jkowalleck jkowalleck added the bug Something isn't working label Jan 6, 2023
@jkowalleck
Copy link
Member

tested, confirmed.
having a fix in the making.

jkowalleck added a commit that referenced this issue Jan 7, 2023
@jkowalleck
tests: regression tests for issue #328
32b1a2e 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
jkowalleck added a commit that referenced this issue Jan 7, 2023
@jkowalleck
fix: serialize dependency graph for nested components (#329)
fb3f835 
* tests: regression tests for issue #328
* fix: for issue #328

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@madpah
Copy link
Collaborator

madpah commented Mar 3, 2023

Confirmed that this is also resolved in 4.0.0 branch, but given breaking changes, would be written as:

from cyclonedx.model.bom import Bom
from cyclonedx.model.component import Component
from cyclonedx.output import get_instance, OutputFormat, SchemaVersion

bom = Bom()

a = Component(name='A', version='0.1')
b = Component(name='B', version='1.0')
c = Component(name='C', version='1.0')

# Make a tree of components A -> B -> C
b.components = [c]
a.components = [b]

# Declare dependencies the same way
bom.register_dependency(b, [c])
bom.register_dependency(a, [b])

bom.components = [a]

inst = get_instance(
    bom=bom,
    output_format=OutputFormat["XML"],
    schema_version=SchemaVersion["V1_4"],
)
inst.output_to_file("bom.xml")

Resulting in dependencies:

    <ns0:dependencies>
        <ns0:dependency ref="2d4a137b-bb3b-4584-920f-72bbe76014c0"/>
        <ns0:dependency ref="6388b504-0761-4e88-a312-c2cd2d511b7f">
            <ns0:dependency ref="fa1da10d-243b-4b3c-98ab-d7f30ffe07ca"/>
        </ns0:dependency>
        <ns0:dependency ref="fa1da10d-243b-4b3c-98ab-d7f30ffe07ca">
            <ns0:dependency ref="2d4a137b-bb3b-4584-920f-72bbe76014c0"/>
        </ns0:dependency>
    </ns0:dependencies>

@madpah madpah mentioned this issue Mar 3, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jkowalleck jkowalleck

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: serialize dependency graph for nested components CycloneDX/cyclonedx-python-lib
3 participants
@schlenk @jkowalleck @madpah