Preserve relationships in StripSBOM function (needed by kubevuln's filterSBOM)

[matthyx]

Summary by CodeRabbit

• Bug Fixes
  • Fixed an issue where software bill of materials (SBOM) relationship information was being incorrectly removed during processing operations. Relationship data is now properly preserved to maintain complete software composition visibility.

[coderabbitai]

📝 Walkthrough

Walkthrough

The StripSBOM function is modified to preserve the Relationships field instead of explicitly clearing it to nil. Corresponding test expectations are updated to reflect that relationships remain in the SBOM after stripping.

Changes

Cohort / File(s)	Summary
StripSBOM Implementation & Tests pkg/apis/softwarecomposition/v1beta1/syfttypes.go, pkg/apis/softwarecomposition/v1beta1/syfttypes_test.go	Removed the explicit clearing of syftSBOM.Relationships = nil during StripSBOM operation. Test expectations updated in two cases ("nil packages collection" and "complete SBOM") to verify relationships are preserved rather than cleared.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• Implement StripSBOM function to reduce SBOM size by clearing unnecessary fields #288: Introduced the explicit clearing of Relationships in StripSBOM; this PR reverses that change by removing the field clearing logic.

Poem

🐰 Relationships preserved with a gentle hop,
No more clearing fields—let the bonds not stop!
SBOM stays whole, connections intact,
A small change made, but perfectly packed. 🤝

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main change: preserving relationships in StripSBOM instead of clearing them, and clearly indicates the dependency reason.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch strip

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

pkg/apis/softwarecomposition/v1beta1/syfttypes_test.go (2)

40-40: Consider a stronger assertion than NotNil to confirm relationship content is preserved.

assert.NotNil only guards against nil; it won't catch StripSBOM partially modifying or replacing the slice. Since both fixtures seed exactly one relationship, assert.Len is a tighter check with almost no extra cost.

♻️ Proposed refinement

-				assert.NotNil(t, sbom.Relationships, "relationships should be preserved")
+				assert.Len(t, sbom.Relationships, 1, "relationships should be preserved")

Apply the same change at both line 40 and line 54.

Also applies to: 54-54

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/apis/softwarecomposition/v1beta1/syfttypes_test.go` at line 40, Replace
the weak NotNil checks on the relationships slice with a length assertion to
ensure content is preserved: where the test currently calls assert.NotNil(t,
sbom.Relationships, "relationships should be preserved") (and the similar call
at the second occurrence), change it to assert.Len(t, sbom.Relationships, 1,
"relationships should be preserved") so the test verifies that the single seeded
relationship remains after StripSBOM; keep the same message and apply the change
for both occurrences referencing sbom.Relationships.

---

15-79: Add a test case for a nil Relationships field to close the "preserve" contract.

The PR goal is to preserve relationships — which means nil should stay nil (no accidental initialization) and non-nil should stay non-nil. Currently only the non-nil path is exercised. A small extra case validates the other half:

♻️ Suggested additional test case

+       {
+               name: "nil relationships preserved",
+               input: &sbom.SBOM{
+                       Artifacts: sbom.Artifacts{
+                               FileMetadata: map[syftfile.Coordinates]syftfile.Metadata{},
+                               FileDigests:  map[syftfile.Coordinates][]syftfile.Digest{},
+                               FileContents: map[syftfile.Coordinates]string{},
+                               Unknowns:     map[syftfile.Coordinates][]string{},
+                       },
+                       Relationships: nil,
+               },
+               verify: func(t *testing.T, sbom *sbom.SBOM) {
+                       assert.Nil(t, sbom.Relationships, "nil relationships should remain nil after strip")
+               },
+       },

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/apis/softwarecomposition/v1beta1/syfttypes_test.go` around lines 15 - 79,
Test suite TestStripSBOM is missing a case that verifies nil Relationships are
preserved (stay nil) — add a new test case named "nil relationships" in the
tests slice that supplies an SBOM whose Relationships field is nil (e.g. create
an input via a helper like createSBOMWithNilRelationships() or clone
createCompleteSBOM and set Relationships = nil) and a verify function that
asserts sbom.Relationships is nil and also checks the same preservation/clearing
expectations as the other cases (Descriptor.Configuration cleared,
FileMetadata/FileDigests/FileContents preserved, FileLicenses/Executables
cleared, Unknowns preserved, and package-level assertions if packages exist);
place this case alongside the existing "nil packages collection" and "complete
SBOM" cases so both nil and non-nil relationship paths are exercised.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/apis/softwarecomposition/v1beta1/syfttypes_test.go`:
- Line 40: Replace the weak NotNil checks on the relationships slice with a
length assertion to ensure content is preserved: where the test currently calls
assert.NotNil(t, sbom.Relationships, "relationships should be preserved") (and
the similar call at the second occurrence), change it to assert.Len(t,
sbom.Relationships, 1, "relationships should be preserved") so the test verifies
that the single seeded relationship remains after StripSBOM; keep the same
message and apply the change for both occurrences referencing
sbom.Relationships.
- Around line 15-79: Test suite TestStripSBOM is missing a case that verifies
nil Relationships are preserved (stay nil) — add a new test case named "nil
relationships" in the tests slice that supplies an SBOM whose Relationships
field is nil (e.g. create an input via a helper like
createSBOMWithNilRelationships() or clone createCompleteSBOM and set
Relationships = nil) and a verify function that asserts sbom.Relationships is
nil and also checks the same preservation/clearing expectations as the other
cases (Descriptor.Configuration cleared, FileMetadata/FileDigests/FileContents
preserved, FileLicenses/Executables cleared, Unknowns preserved, and
package-level assertions if packages exist); place this case alongside the
existing "nil packages collection" and "complete SBOM" cases so both nil and
non-nil relationship paths are exercised.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4fe4fa0 and c3241ce.

📒 Files selected for processing (2)

• pkg/apis/softwarecomposition/v1beta1/syfttypes.go
• pkg/apis/softwarecomposition/v1beta1/syfttypes_test.go

💤 Files with no reviewable changes (1)

• pkg/apis/softwarecomposition/v1beta1/syfttypes.go

[github-actions]

Summary:

• License scan: failure
• Credentials scan: failure
• Vulnerabilities scan: failure
• Unit test: success
• Go linting: failure