Skip to content

Fix for package dependency bug #1101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Jun 17, 2025
Merged

Fix for package dependency bug #1101

merged 10 commits into from
Jun 17, 2025

Conversation

pragnya17
Copy link
Contributor

This PR aims to fix a bug that affects SBOM accuracy and determinism during generation. The bug's impact means that all the SBOMs we have been generating since this PR () was merged are not fully representative of the build drop path and are not deterministic. We are discarding a large proportion of our transitive dependency information, and the transitive dependencies that are selected for inclusion may vary between SBOM creations for the same drop.

The root cause was that the package info created from the component detection results was incorrect. We were only getting the FirstOrDefault() AncestralReferrer for each package, which was not deterministic and did not consider the case of multiple referrers.

This PR gets all the package dependencies from the component detection results and translates them correctly into package dependency relationships in the SBOM.

@pragnya17 pragnya17 requested a review from a team as a code owner June 16, 2025 21:19
@pragnya17
Copy link
Contributor Author

/azp run

@pragnya17
Copy link
Contributor Author

/azp run

@pragnya17
Copy link
Contributor Author

/azp run

1 similar comment
@pragnya17
Copy link
Contributor Author

/azp run

@github-actions GitHub Actions
Copy link

This PR changes files in the API project. Does it change any of the API interfaces in any way? Please note that this includes the following types of changes:

  • Changing the signature of an existing interface method
  • Adding a new method to an existing interface
  • Adding a required data member to a class that an existing interface method consumes

Because any of these changes can potentially break a downstream consumer with customized interface implementations, these changes need to be treated as breaking changes. Please do one of the following:

Option 1 - Publish this as a breaking change

  1. Update the documentation to show the new functionality
  2. Bump the major version in the next release
  3. Be sure to highlight the breaking changes in the release notes

Option 2 - Refactor the changes to be non-breaking

  1. Review this commit, which adds a new interface in a backward-compatible way
  2. Refactor the change to follow this pattern so that existing interfaces are left completely intact
  3. Bump the minor version in the next release

@pragnya17
Copy link
Contributor Author

/azp run

@microsoft microsoft deleted a comment from github-actions bot Jun 17, 2025
@microsoft microsoft deleted a comment from github-actions bot Jun 17, 2025
@microsoft microsoft deleted a comment from github-actions bot Jun 17, 2025
@microsoft microsoft deleted a comment from github-actions bot Jun 17, 2025
@microsoft microsoft deleted a comment from github-actions bot Jun 17, 2025
@microsoft microsoft deleted a comment from github-actions bot Jun 17, 2025
@microsoft microsoft deleted a comment from github-actions bot Jun 17, 2025
@microsoft microsoft deleted a comment from github-actions bot Jun 17, 2025
@pragnya17 pragnya17 enabled auto-merge (squash) June 17, 2025 23:13
@pragnya17 pragnya17 merged commit f95e539 into main Jun 17, 2025
5 checks passed
@pragnya17 pragnya17 deleted the ppandrate_packageDepBug branch June 17, 2025 23:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DaveTryon DaveTryon DaveTryon approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pragnya17 @DaveTryon