fix(enrichment): clean up dependencies when filtering lockfile components#66
Merged
vpetersson merged 1 commit intomasterfrom Dec 13, 2025
Merged
fix(enrichment): clean up dependencies when filtering lockfile components#66vpetersson merged 1 commit intomasterfrom
vpetersson merged 1 commit intomasterfrom
Conversation
…ents When removing lockfile components (uv.lock, requirements.txt, etc.) from SBOMs, the dependency/relationship references were not being cleaned up, causing serialization to fail with "Dependency references to Components that are not known in this BOM" errors. Changes: - CycloneDX: Update _filter_lockfile_components to remove lockfile refs from bom.dependencies and nested dependsOn lists - SPDX: Add _is_lockfile_package and _filter_lockfile_packages to filter lockfile packages and clean up document.relationships - Fix existing e2e test to include realistic dependencies like Trivy generates, preventing this class of bugs from slipping through again - Add comprehensive unit tests for both CycloneDX and SPDX dependency cleanup
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes a bug where removing lockfile components/packages from SBOMs caused serialization errors due to dangling dependency/relationship references.
Key Changes:
- Updated CycloneDX filtering to clean up
bom.dependenciesentries and nesteddependsOnlists - Added SPDX filtering functions (
_is_lockfile_package,_filter_lockfile_packages) to remove lockfile packages and their relationships - Enhanced existing e2e test with realistic dependency structures to prevent regression
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| sbomify_action/enrichment.py | Added dependency/relationship cleanup logic to both CycloneDX and SPDX lockfile filtering functions |
| tests/test_enrichment_module.py | Added comprehensive unit tests for dependency cleanup and updated e2e test with realistic dependency graphs |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When removing lockfile components (uv.lock, requirements.txt, etc.) from SBOMs, the dependency/relationship references were not being cleaned up, causing serialization to fail with "Dependency references to Components that are not known in this BOM" errors.
Changes: