updates based on feedback from @jkowalleck

Signed-off-by: Paul Horton <[email protected]>

Author: madpah

cyclonedx/model/bom.py

@@ -16,7 +16,7 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) OWASP Foundation. All Rights Reserved.
-
+import warnings
 from datetime import datetime, timezone
 from typing import Iterable, Optional, Set
 from uuid import UUID, uuid4
@@ -374,13 +374,25 @@ def validate(self) -> bool:
         """
 
         # 1. Make sure dependencies are all in this Bom.
-        all_component_bom_refs = set(map(lambda c: c.bom_ref, self.components))
+        all_bom_refs = set([self.metadata.component.bom_ref] if self.metadata.component else []).union(
+            set(map(lambda c: c.bom_ref, self.components)),
+            set(map(lambda s: s.bom_ref, self.services))
+        )
         all_dependency_bom_refs = set().union(*(c.dependencies for c in self.components))
-        dependency_diff = list(all_dependency_bom_refs.difference(all_component_bom_refs))
+        dependency_diff = list(all_dependency_bom_refs.difference(all_bom_refs))
         if len(dependency_diff) > 0:
             raise UnknownComponentDependencyException(
-                f'One or more Components have Dependency references to Components that are not known in this BOM. '
-                f'They are: {dependency_diff}')
+                f'One or more Components have Dependency references to Components/Services that are not known in this '
+                f'BOM. They are: {dependency_diff}')
+
+        # 2. Dependencies should exist for the Component this BOM is describing, if one is set
+        if self.metadata.component and not self.metadata.component.dependencies:
+            warnings.warn(
+                f'The Component this BOM is describing {self.metadata.component.purl} has no defined dependencies'
+                f'which means the Dependency Graph is incomplete - you should add direct dependencies to this Component'
+                f'to complete the Dependency Graph data.',
+                UserWarning
+            )
 
         return True
 

cyclonedx/output/json.py

@@ -66,11 +66,16 @@ def generate(self, force_regeneration: bool = False) -> None:
         extras = {}
         if self.bom_supports_dependencies():
             dependencies: List[Dict[str, Union[str, List[str]]]] = []
+            if self.get_bom().metadata.component:
+                dependencies.append({
+                    'ref': str(cast(Component, self.get_bom().metadata.component).bom_ref),
+                    'dependsOn': []
+                })
             if self.get_bom().components:
                 for component in self.get_bom().components:
                     dependencies.append({
                         'ref': str(component.bom_ref),
-                        'dependsOn': list(map(lambda x: str(x), component.dependencies))
+                        'dependsOn': [*map(str, component.dependencies)]
                     })
             if dependencies:
                 extras["dependencies"] = dependencies

cyclonedx/output/xml.py

@@ -18,7 +18,7 @@
 # Copyright (c) OWASP Foundation. All Rights Reserved.
 
 import warnings
-from typing import Optional, Set
+from typing import Optional, Set, cast
 from xml.etree import ElementTree
 
 from ..model import (
@@ -111,6 +111,10 @@ def generate(self, force_regeneration: bool = False) -> None:
 
         if self.bom_supports_dependencies() and self.get_bom().components:
             dependencies_element = ElementTree.SubElement(self._root_bom_element, 'dependencies')
+            if self.get_bom().metadata.component:
+                ElementTree.SubElement(dependencies_element, 'dependency', {
+                    'ref': str(cast(Component, self.get_bom().metadata.component).bom_ref)
+                })
             for component in self.get_bom().components:
                 dependency_element = ElementTree.SubElement(dependencies_element, 'dependency', {
                     'ref': str(component.bom_ref)