# Task 1 Perspectives on Python-oriented SBOM Generation Tools
Task 1 analysed current SBOM generation practices in the Python ecosystem and identified a fundamental limitation: existing tools rely primarily on metadata files or semi-dynamic installation processes, leading to incomplete dependency discovery and inconsistent results. Through critical synthesis of recent academic work, the first part motivates a new SBOM generation approach that shifts the focus from metadata-centric analysis to source-code–level dependency discovery.
This part is now dedicated to the implementation of our novel approach. Using Python’s Abstract Syntax Tree (AST) to extract imports directly from source code and construct a dependency graph, we complement existing methods and seek to achieve 100% completeness. 
The first section is about the project's chosen datasets, why and how they've been merged. The second section is about the choice of data structure appropriate for graph problems. Goodrich et al.[2] provide us with four possible data structures

## Nota bene
1. In the first task, under Comparison and metrics, we suggest correctness will be also assessed. This was a mistake; the focus of this project remains exclusively about completeness, as in capturing all dependencies.  
2. This project revolving around packages, ***unless `requirements.txt` is ran in a virtualenv with python 3.11 at least, 
the AST analysis part won't work***, for it is the source code of the different required packages that is analysed. 

## 1 Data structures 
One could conceive the data structure defining how packages relate to one another naively as a tree, where each package may have children-packages. In fact, it is often referred in the literature as a dependency tree. However, 
this term misrepresents the true nature of software dependencies, for packages rarely have a single parent relationship or even form (problematic) cycles, per Tellnes' own introduction of the problem[1]. Thus, in professional software development, dependency graphs are the norm. For this reason, the core data structure featured in this document will be shaped by graph theory. Goodrich et al.[2] provide us with four possible data structures: 
1. edge lists 
2. adjacency list
3. adjacency map
4. adjacency matrix 

Whilst in the task n°1 it had been concluded that the adjacency list had to be used for NodeVisitor depended on it, 
it turned out that `ast.NodeVisitor` doesnt really expect a specific type. We were thus free to choose any of those data structures. One could choose the edge list on a whim, for it is easy to implement, and has the most optimal for the three functions we would use (`vertices()` being O(n), `insert_vertices()` and `insert_edges()` being O(1)), as described in [2, p.627], to construct the graph and compare it against others. But doing so would be a mistake; we cannot forget some projects might have cycles and for this reason we need to be able to avoid duplicates. Replacing the lists by sets would mean both the getter and setter necessary to check for duplicates before adding are O(n) too[3]. Therefore it would have best to use a adjacency map, for its getter `get_edge()` is O(1), but our dataset needs to exported and merged too, implying serialisation is a major challenge for behavior-heavy objects like graphs. Bad experience has been made about this last part, as visible in our chatgpt transcript[4]. Hence we reverted back to the first option that was the edge lists, but with sets instead, for we will only implement a small subset of functions where O(1) applies. Sets allow for easy comparisons, perfect for later analyses. It is important to note that python's sets make us of hashmaps, which for insertion and look-ups are worth O(1) too. We follow Goodrich et al.'s edge list implementation otherwise[3].

In [1]:
from dataclasses import dataclass, field
from typing import Any

@dataclass(eq=True, frozen=True)
class Package():
    name: str
    #node: Any | None = None # only assigned something else when parsing with the AST algorithm 

    @staticmethod
    # O(c) => "simple" deserialisation
    def from_dict(d: dict) -> "Package":
        return Package(**d)

@dataclass(eq=True, frozen=True)
class ImportStatement():
    who_imports: Package
    who_is_imported: Package

    @staticmethod
    # O(c) => constant time
    def from_dict(d: dict) -> "ImportStatement":
        return ImportStatement(
            who_imports=Package.from_dict(d["imports"]),
            who_is_imported=Package.from_dict(d["imported"]),
        )
    
@dataclass(eq=True, frozen=True)
class DependencyGraph():
    packages: set[Package] = field(default_factory=set)
    import_statements: set[ImportStatement] = field(default_factory=set)

    # O(c) => simple append, constant time
    def insert_package(self, package_name: str, node: Any | None = None) -> Package:
        new_package = Package(package_name)
        self.packages.add(new_package)

        return new_package

    # O(c) => simple append, constant time
    def insert_importstatement(self, imports: Package, imported: Package):
        new_importstatement = ImportStatement(imports, imported)
        self.import_statements.add(new_importstatement)

        return new_importstatement
    
    # O(n) => linear time because we have to look through the whole list
    def imports(self, package: Package) -> list[ImportStatement]:
        return [statement for statement in self.import_statements if statement.who_imports == package]
    
    @staticmethod
    # O(2n) => linear time still but we have to loop through two(2) lists
    def from_dict(d: dict) -> "DependencyGraph":
        return DependencyGraph(
            packages=set(Package.from_dict(p) for p in d["packages"]),
            import_statements=set(
                ImportStatement.from_dict(i)
                for i in d["import_statements"]
            ),
        )

@dataclass
class PackageAnalysis:
    source_path: str
    graphs: dict[str, DependencyGraph]
    raw_packages_from_metadata: list[str]
    ground_truth: DependencyGraph | None

    @staticmethod
    # O(n^2) => quadratic time, and looping
    # 1 for instantiation
    # 1 for return
    def from_dict(d: dict) -> "PackageAnalysis":
        return PackageAnalysis(
            source_path=d["source_path"],
            graphs={
                k: DependencyGraph.from_dict(v)
                for k, v in d["graphs"].items()
            },
            raw_packages_from_metadata=d["raw_packages_from_metadata"],
            ground_truth=(
                DependencyGraph.from_dict(d["ground_truth"])
                if d["ground_truth"] is not None
                else None
            ),
        )

@dataclass
class Dataset:
    package_analyses: dict[str, PackageAnalysis] = field(default_factory=dict)

    @staticmethod
    # O(n^3) => cubic time because we have to loop through multiple nested objects
    def from_dict(d: dict) -> "Dataset":
        return Dataset(
            package_analyses={
                k: PackageAnalysis.from_dict(v)
                for k, v in d["package_analyses"].items()
            }
        )

## 2.0 Datasets and setup 
In the subsequent task, we examined and selected two datasets that allow us to draw a comparison between our tools and our new approach. Both datasets contain the source code of different pacakges to analyse. Due to the sheer size of those datasets (multiple GBs), they are not included in this file directly and can be consulted on the (project's github repository)[https://github.com/rtafurthgarcia/COM713].
Our datasets (`\ds1` and `\ds2`) share the same structure:
- `\packages` contains the packages to analyse and to generate SBOMs from, 
- `\sbom` contains the generated SBOMs generated by each tool for each package, and serve as comparison source.

### 2.1 Dataset n°1
Dataset n1 (ds1) is a copy from Cofano et al. Dependencies are read from `requirements.txt` from `\sbom`. This dataset contains no ground truth, and only `\sbom` can be used to draw a comparison between our new approach and the other tools. 
Here, `COM713`, a package specially crafted to avoid detection by regular metadata-only tools has been added in the `requirements.txt` files. This will allow us to test that our AST analyser is immune to parser confusion.

### 2.2 Dataset n°2
Dataset n2 (ds2) is a copy from Jia et al's dataset. `\deptree_gt` contains the ground truth as json files for each package to compare with the other tools real performance in `\sbom`

### 2.3 Preprocessing and merging
These two datasets have been parsed and merged externally; the process required a cyclonedx library that couldnt be attached to this project. However, if curious as to how it worked, you can peek into the `merge.py` file and see how it got done. It required serialising our dataclasses from above into json files. By merging is meant combining all previous relevant dataset files into one, but we keep both datasets distinct for practical reasons. Deserialising those datasets meant implementing `from_dict` functions as to retroactively convert all nested objects into their original types.

In [2]:
import json

dataset1: Dataset
dataset2: Dataset

with open("merged_ds1.json", "r") as dataset_file:
    dataset1 =  Dataset.from_dict(json.loads(dataset_file.read())) 

with open("merged_ds2.json", "r") as dataset_file:
    dataset2 =  Dataset.from_dict(json.loads(dataset_file.read())) 

## 3. AST Algorithm
Our AST algorithm follows this logic: 

```
                                                                               ┌───────────────────┐     
                                                                               │                   │     
                                                                ┌────────┐     │                   │     
                                                                │        │     │ Print the SBOM    │     
                                                                │ Start ◄┼─────┼ and export it as a│     
                                                                │        │     │ file             ◄┼┐    
                                                                └────────┘     │                   ││    
                                                                               └───────────────────┘│    
                                                                                                    │    
                                                                                                   No    
                                                                                                    │    
                                                                                                    │    
                                                                                                 xxx│x   
                                                                             xxxxx              xx   xx  
                  ┌────────────────┐        ┌────────────────────┐          xx   xx            xx     xx 
                  │                │        │                    │         xx     xx          xx Any   xx
┌────────┐        │                │        │ Look through the   │        xx Any   xx         x  .py    x
│        │        │  Read source   │        │ AST for import     │        x  import ───No─────►x left? xx
│ Start ─┼────────┼► file (.py),   ┼────────► statements         ┼────────►x left? xx          xx     xx 
│        │        │  build the AST │        │                    │         xx     xx            xx   xx  
└────────┘        │                │        │                    │          xx   xx              xx xx   
                  └──────▲─────────┘        └────────▲───────────┘           xx xx                │xx    
                         │                           │                        x│x                 │      
                         │                           │                         │                  │      
                         │                           │                         │                  │      
                         │                           │                        Yes                Yes     
                         │                  ┌────────┼───────────┐             │                  │      
                         │                  │                    │             │                  │      
                         │                  │  Add to graph      │             │                  │      
                         │                  │                   ◄│─────────────┘                  │      
                         │                  │                    │                                │      
                         │                  │                    │      ┌────────────────────┐    │      
                         │                  └────────────────────┘      │                    │    │      
                         │                                              │  Move to next      │    │      
                         └──────────────────────────────────────────────│  source file,      │────┘      
                                                                        │  mark file as read │           
                                                                        │                    │           
                                                                        └────────────────────┘           
```

In [None]:
import ast
import os 
import sys
from pathlib import Path
from importlib.util import find_spec
from importlib.metadata import packages_distributions

class PackageAnalyser(ast.NodeVisitor):
    """
    Parses the package's sourcecode, build an abstract syntax tree, and from this, identifies the imports 
    that will allow to dive deeper into each imported package. This process is what generates our dependency graph, 
    where each Vertex or Package will be an entry in our SBOM.
    """
    def __init__(self, source_path: str):
        self.source_path = source_path
        self.graph = DependencyGraph()
        self.current_file = ""
        self.distribution_packages = packages_distributions()
        self._visited_nodes = {}

        if os.path.exists(self.source_path):
            if (os.path.isfile(self.source_path)) and source_path.endswith(".py"):
                #self.graph.insert_package(root_package_name)
                self.current_file = self.source_path
            elif (os.path.isdir(self.source_path)):
                self.current_file = [file for file in os.listdir(self.source_path) if file.endswith(".py")][0]
            else:
                raise Exception("No source file found")

    """
    Each visit_x function is called each time a node of a node of our abstract syntax tree is visited
    _Module -> is called each time a new module is visited
    _Import -> is called each time a new import is visited
    _ImportFrom -> is called each time a a new from ... import is visited 
    """
    def visit_Module(self, node: ast.Module) -> None:
        self._visited_nodes[self.current_file] = node
        
        package_name = Path(self.current_file).stem

        # ultimately, we only want to add to our graph the distribution packages
        if (not package_name.startswith("__")):
            self.current_package = self.graph.insert_package(package_name)
        
        self.generic_visit(node)

    # O(n!) Really bad, _parse_and_visit will both read, build the AST tree, and look for 
    # further files to parse by calling itself during the "visiting" of the tree
    def visit_Import(self, node: ast.Import) -> None:
        package_name = node.names[0].name # the first name works

        if (not self._is_separate_package(package_name)):
            return
        
        package_path = self._find_package_path(package_name)
        self._parse_and_visit(package_path)
        self._visited_nodes[package_path] = node
        
        # ultimately, we only want to add to our graph the distribution packages
        if (package_name in self.distribution_packages):
            new_package = self.graph.insert_package(package_name)
            self.graph.insert_importstatement(
                self.current_package, 
                new_package)
            self.current_package = new_package
            self.generic_visit(node)

    # O(n!) Really bad, _parse_and_visit will both read, build the AST tree, and look for 
    # further files to parse by calling itself during the "visiting" of the tree
    def visit_ImportFrom(self, node: ast.ImportFrom) -> None:
        package_name = node.module or "" # we want the x from 'from x import y', not the y

        if (not self._is_separate_package(package_name)):
            return
        
        package_path = self._find_package_path(package_name)
        self._parse_and_visit(package_path) # This makes it a recursive process!
        self._visited_nodes[package_path] = node

        # ultimately, we only want to add to our graph the distribution packages
        if (package_name in self.distribution_packages):
            new_package = self.graph.insert_package(package_name)
            self.graph.insert_importstatement(
                self.current_package, 
                new_package)
            self.current_package = new_package

            self.generic_visit(node)

    # O(1) nothing too special
    def _is_separate_package(self, node_name: str) -> bool:
        """
        Distinguish between just regular modules, proper modules from separate installed packages
        and stdlib packages
        """
        if node_name == '':
            return False

        if node_name in sys.stdlib_module_names:
            return False

        try:
            spec = find_spec(node_name)
            if spec is None or spec.submodule_search_locations is None:
                return False
            else:
                return True
        except:
            return False
    
    def _find_package_path(self, node_name: str) -> str:
        spec = find_spec(node_name)       
        if (spec is None or spec.submodule_search_locations is None or spec.origin is None):
            raise FileNotFoundError("Couldn't find the package's og source")
        else:
            return spec.origin
        
    def _parse_and_visit(self, file_path: str) -> None:
        """
        Read the source, parse it to further build the AST, then explore its edges to discover other packages
        """
        if not file_path.endswith(".py"):
            return 
        
        if file_path in self._visited_nodes: # a look up is constant thx to the fact that its a hashmap!
            return 

        try:
            with open(file_path, "r") as source_file:
                code = source_file.read()
                tree = ast.parse(code)
                self.current_file = file_path
                self.visit(tree)
        except:
            return
            
    
    def analyse(self) -> None:
        """
        Will parse the package's source code and build an AST from it, where every node from the tree will be visited
        """
        if (os.path.isfile(self.source_path)):
            self._parse_and_visit(self.source_path)
        elif (os.path.isdir(self.source_path)):
            for root, _, files in os.walk(self.source_path):
                for file in files:
                    file_path = os.path.join(root, file)
                    self._parse_and_visit(file_path)
    
    def print_packages(self) -> None:
        for package in self.graph.packages:
            print(package.name)

for package, analysis in dataset1.package_analyses.items():
    analyser = PackageAnalyser(source_path=analysis.source_path)
    analyser.analyse()
    analyser.print_packages()
    

main
main
main


## References
[1] J. Tellnes, « Dependencies: No Software is an Island », Master thesis, The University of Bergen, 2013. Available on: https://bora.uib.no/bora-xmlui/handle/1956/7540
[2] M. T. Goodrich, R. Tamassia, et M. H. Goldwasser, Data structures and algorithms in Python, 1st edition. Hoboken, N.J: Wiley, 2013.
[3] « TimeComplexity - Python Wiki ». Consulted the: 4 janvier 2026. [Online]. Available on: https://wiki.python.org/moin/TimeComplexity
[4] R. E. L. Tafurth Garcia, « ChatGPT - COM713 », Transcript. [Online]. Available: https://chatgpt.com/share/695ad5cb-35f8-8008-a3a0-d8b0302b4eb2
