wip

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

cyclonedx/model/contact.py

@@ -163,10 +163,10 @@ def street_address(self, street_address: Optional[str]) -> None:
 
     def __comparable_tuple(self) -> _ComparableTuple:
         return _ComparableTuple((
-            self.bom_ref,
             self.country, self.region, self.locality, self.postal_code,
             self.post_office_box_number,
-            self.street_address
+            self.street_address,
+            self.bom_ref.value,
         ))
 
     def __eq__(self, other: object) -> bool:

cyclonedx/model/definition.py

@@ -256,7 +256,7 @@ def external_references(self, external_references: Iterable[ExternalReference])
     def __comparable_tuple(self) -> _ComparableTuple:
         # all properties are optional - so need to compare all, in hope that one is unique
         return _ComparableTuple((
-            self.bom_ref, self.identifier,
+            self.identifier, self.bom_ref.value,
             self.title, self.text,
             _ComparableTuple(self.descriptions),
             _ComparableTuple(self.open_cre), self.parent, _ComparableTuple(self.properties),
@@ -373,7 +373,9 @@ def requirements(self, requirements: Iterable[Union[str, BomRef]]) -> None:
     def __comparable_tuple(self) -> _ComparableTuple:
         # all properties are optional - so need to compare all, in hope that one is unique
         return _ComparableTuple((
-            self.bom_ref, self.identifier, self.title, self.description, _ComparableTuple(self.requirements)
+            self.identifier, self.bom_ref.value,
+            self.title, self.description,
+            _ComparableTuple(self.requirements)
         ))
 
     def __lt__(self, other: Any) -> bool:
@@ -545,8 +547,9 @@ def external_references(self, external_references: Iterable[ExternalReference])
     def __comparable_tuple(self) -> _ComparableTuple:
         # all properties are optional - so need to apply all, in hope that one is unique
         return _ComparableTuple((
-            self.bom_ref,
-            self.name, self.version, self.description, self.owner,
+            self.name, self.version,
+            self.bom_ref.value,
+            self.description, self.owner,
             _ComparableTuple(self.requirements), _ComparableTuple(self.levels),
             _ComparableTuple(self.external_references)
         ))

cyclonedx/model/service.py

@@ -355,6 +355,7 @@ def release_notes(self, release_notes: Optional[ReleaseNotes]) -> None:
     def __comparable_tuple(self) -> _ComparableTuple:
         return _ComparableTuple((
             self.group, self.name, self.version,
+            self.bom_ref.value,
             self.provider, self.description,
             self.authenticated, _ComparableTuple(self.data), _ComparableTuple(self.endpoints),
             _ComparableTuple(self.external_references), _ComparableTuple(self.licenses),

cyclonedx/model/vulnerability.py

@@ -1334,7 +1334,7 @@ def properties(self, properties: Iterable[Property]) -> None:
 
     def __comparable_tuple(self) -> _ComparableTuple:
         return _ComparableTuple((
-            self.id,
+            self.id, self.bom_ref.value,
             self.source, _ComparableTuple(self.references),
             _ComparableTuple(self.ratings), _ComparableTuple(self.cwes), self.description,
             self.detail, self.recommendation, self.workaround, _ComparableTuple(self.advisories),

tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.0.xml.bin

@@ -4,13 +4,13 @@
     <component type="library">
       <name>dummy</name>
       <version>2.3.5</version>
-      <purl>pkg:pypi/[email protected]?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
+      <purl>pkg:pypi/[email protected]</purl>
       <modified>false</modified>
     </component>
     <component type="library">
       <name>dummy</name>
       <version>2.3.5</version>
-      <purl>pkg:pypi/[email protected]</purl>
+      <purl>pkg:pypi/[email protected]?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
       <modified>false</modified>
     </component>
   </components>

tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.1.xml.bin

@@ -1,15 +1,15 @@
 <?xml version="1.0" ?>
 <bom xmlns="http://cyclonedx.org/schema/bom/1.1" serialNumber="urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac" version="1">
   <components>
-    <component type="library" bom-ref="dummy-b">
+    <component type="library" bom-ref="dummy-a">
       <name>dummy</name>
       <version>2.3.5</version>
-      <purl>pkg:pypi/[email protected]?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
+      <purl>pkg:pypi/[email protected]</purl>
     </component>
-    <component type="library" bom-ref="dummy-a">
+    <component type="library" bom-ref="dummy-b">
       <name>dummy</name>
       <version>2.3.5</version>
-      <purl>pkg:pypi/[email protected]</purl>
+      <purl>pkg:pypi/[email protected]?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
     </component>
   </components>
 </bom>

tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.2.json.bin

@@ -1,16 +1,16 @@
 {
   "components": [
     {
-      "bom-ref": "dummy-b",
+      "bom-ref": "dummy-a",
       "name": "dummy",
-      "purl": "pkg:pypi/[email protected]?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6",
+      "purl": "pkg:pypi/[email protected]",
       "type": "library",
       "version": "2.3.5"
     },
     {
-      "bom-ref": "dummy-a",
+      "bom-ref": "dummy-b",
       "name": "dummy",
-      "purl": "pkg:pypi/[email protected]",
+      "purl": "pkg:pypi/[email protected]?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6",
       "type": "library",
       "version": "2.3.5"
     }

tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.2.xml.bin

@@ -4,15 +4,15 @@
     <timestamp>2023-01-07T13:44:32.312678+00:00</timestamp>
   </metadata>
   <components>
-    <component type="library" bom-ref="dummy-b">
+    <component type="library" bom-ref="dummy-a">
       <name>dummy</name>
       <version>2.3.5</version>
-      <purl>pkg:pypi/[email protected]?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
+      <purl>pkg:pypi/[email protected]</purl>
     </component>
-    <component type="library" bom-ref="dummy-a">
+    <component type="library" bom-ref="dummy-b">
       <name>dummy</name>
       <version>2.3.5</version>
-      <purl>pkg:pypi/[email protected]</purl>
+      <purl>pkg:pypi/[email protected]?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
     </component>
   </components>
   <dependencies>

tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.3.json.bin

@@ -1,16 +1,16 @@
 {
   "components": [
     {
-      "bom-ref": "dummy-b",
+      "bom-ref": "dummy-a",
       "name": "dummy",
-      "purl": "pkg:pypi/[email protected]?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6",
+      "purl": "pkg:pypi/[email protected]",
       "type": "library",
       "version": "2.3.5"
     },
     {
-      "bom-ref": "dummy-a",
+      "bom-ref": "dummy-b",
       "name": "dummy",
-      "purl": "pkg:pypi/[email protected]",
+      "purl": "pkg:pypi/[email protected]?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6",
       "type": "library",
       "version": "2.3.5"
     }

tests/_data/snapshots/get_bom_for_issue_598_multiple_components_with_purl_qualifiers-1.3.xml.bin

@@ -4,15 +4,15 @@
     <timestamp>2023-01-07T13:44:32.312678+00:00</timestamp>
   </metadata>
   <components>
-    <component type="library" bom-ref="dummy-b">
+    <component type="library" bom-ref="dummy-a">
       <name>dummy</name>
       <version>2.3.5</version>
-      <purl>pkg:pypi/[email protected]?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
+      <purl>pkg:pypi/[email protected]</purl>
     </component>
-    <component type="library" bom-ref="dummy-a">
+    <component type="library" bom-ref="dummy-b">
       <name>dummy</name>
       <version>2.3.5</version>
-      <purl>pkg:pypi/[email protected]</purl>
+      <purl>pkg:pypi/[email protected]?vcs_url=git%2Bhttps://github.com/jazzband/pathlib2.git%405a6a88db3cc1d08dbc86fbe15edfb69fb5f5a3d6</purl>
     </component>
   </components>
   <dependencies>