-
-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Serialization of nested Components with Dependencies drops transitive dependencies #328
Comments
Looking at the dependency graph example at: https://cyclonedx.org/use-cases/#dependency-graph i would expect a flattend 1 node deep serialization like this: <dependencies>
<dependency ref="94768548-3a6b-4bb4-a3c2-db26327b0439">
<dependency ref="285caf07-c4f6-4652-ae7d-39bc53b3a10c" />
</dependency>
<dependency ref="285caf07-c4f6-4652-ae7d-39bc53b3a10c">
<dependency ref="742e60fa-19f5-4dff-ac94-69c5d9a28e91" />
</dependency>
</dependencies> The reason is probably that cyclonedx-python-lib/cyclonedx/output/xml.py Line 114 in 539b57a
|
I remember we had this bug before, and it was supposed to be fixed. |
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
tested, confirmed. |
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Confirmed that this is also resolved in
Resulting in dependencies:
|
I am not sure if this is a bug or just a misunderstanding how Component nesting and Dependencies interact.
I have a nested BOM with multiple components that also declare dependencies between each other along the nesting hierarchy, like in the code below. An example of such a structure would be some framework with multiple applications that have dependencies on a bunch of 3rd party libraries.
This results in the following XML output (for components and dependencies):
The dependency of B on C is dropped in the serialization.
I would have expected the serialization to preserve the dependencies of the nested components as well.
The text was updated successfully, but these errors were encountered: