added additional tests to validate Component in Metadata is properly represented in Dependency Graph

Signed-off-by: Paul Horton <[email protected]>

Author: madpah

cyclonedx/output/json.py

@@ -69,7 +69,7 @@ def generate(self, force_regeneration: bool = False) -> None:
             if self.get_bom().metadata.component:
                 dependencies.append({
                     'ref': str(cast(Component, self.get_bom().metadata.component).bom_ref),
-                    'dependsOn': []
+                    'dependsOn': [*map(str, cast(Component, self.get_bom().metadata.component).dependencies)]
                 })
             if self.get_bom().components:
                 for component in self.get_bom().components:

cyclonedx/output/xml.py

@@ -112,9 +112,13 @@ def generate(self, force_regeneration: bool = False) -> None:
         if self.bom_supports_dependencies() and (self.get_bom().metadata.component or self.get_bom().components):
             dependencies_element = ElementTree.SubElement(self._root_bom_element, 'dependencies')
             if self.get_bom().metadata.component:
-                ElementTree.SubElement(dependencies_element, 'dependency', {
+                dependency_element = ElementTree.SubElement(dependencies_element, 'dependency', {
                     'ref': str(cast(Component, self.get_bom().metadata.component).bom_ref)
                 })
+                for dependency in cast(Component, self.get_bom().metadata.component).dependencies:
+                    ElementTree.SubElement(dependency_element, 'dependency', {
+                        'ref': str(dependency)
+                    })
             for component in self.get_bom().components:
                 dependency_element = ElementTree.SubElement(dependencies_element, 'dependency', {
                     'ref': str(component.bom_ref)

tests/data.py

@@ -130,6 +130,13 @@ def get_bom_with_dependencies_invalid() -> Bom:
     ])
 
 
+def get_bom_with_metadata_component_and_dependencies() -> Bom:
+    bom = Bom(components=[get_component_toml_with_hashes_with_references()])
+    bom.metadata.component = get_component_setuptools_simple()
+    bom.metadata.component.dependencies.update([get_component_toml_with_hashes_with_references().bom_ref])
+    return bom
+
+
 def get_bom_with_component_setuptools_complete() -> Bom:
     component = get_component_setuptools_simple(bom_ref=MOCK_UUID_6)
     component.supplier = get_org_entity_1()

tests/fixtures/json/1.2/bom_dependencies_component.json

@@ -0,0 +1,64 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.2b.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.2",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2021-09-01T10:50:42.051979+00:00",
+    "tools": [
+      {
+        "vendor": "CycloneDX",
+        "name": "cyclonedx-python-lib",
+        "version": "VERSION"
+      }
+    ],
+    "component": {
+      "type": "library",
+      "bom-ref": "pkg:pypi/[email protected]?extension=tar.gz",
+      "author": "Test Author",
+      "name": "setuptools",
+      "version": "50.3.2",
+      "licenses": [
+        {
+          "expression": "MIT License"
+        }
+      ],
+      "purl": "pkg:pypi/[email protected]?extension=tar.gz"
+    }
+  },
+  "components": [
+     {
+      "type": "library",
+      "bom-ref": "pkg:pypi/[email protected]?extension=tar.gz",
+      "name": "toml",
+      "version": "0.10.2",
+      "purl": "pkg:pypi/[email protected]?extension=tar.gz",
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b"
+        }
+      ],
+      "externalReferences": [
+        {
+          "type": "distribution",
+          "url": "https://cyclonedx.org",
+          "comment": "No comment"
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "pkg:pypi/[email protected]?extension=tar.gz",
+      "dependsOn": [
+        "pkg:pypi/[email protected]?extension=tar.gz"
+      ]
+    },
+    {
+      "ref": "pkg:pypi/[email protected]?extension=tar.gz",
+      "dependsOn": []
+    }
+  ]
+}

tests/fixtures/json/1.3/bom_dependencies_component.json

@@ -0,0 +1,70 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.3a.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.3",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2021-09-01T10:50:42.051979+00:00",
+    "tools": [
+      {
+        "vendor": "CycloneDX",
+        "name": "cyclonedx-python-lib",
+        "version": "VERSION"
+      }
+    ],
+    "component": {
+      "type": "library",
+      "bom-ref": "pkg:pypi/[email protected]?extension=tar.gz",
+      "author": "Test Author",
+      "name": "setuptools",
+      "version": "50.3.2",
+      "licenses": [
+        {
+          "expression": "MIT License"
+        }
+      ],
+      "purl": "pkg:pypi/[email protected]?extension=tar.gz"
+    }
+  },
+  "components": [
+     {
+      "type": "library",
+      "bom-ref": "pkg:pypi/[email protected]?extension=tar.gz",
+      "name": "toml",
+      "version": "0.10.2",
+      "purl": "pkg:pypi/[email protected]?extension=tar.gz",
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b"
+        }
+      ],
+      "externalReferences": [
+        {
+          "type": "distribution",
+          "url": "https://cyclonedx.org",
+          "comment": "No comment",
+          "hashes": [
+            {
+              "alg": "SHA-256",
+              "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "pkg:pypi/[email protected]?extension=tar.gz",
+      "dependsOn": [
+        "pkg:pypi/[email protected]?extension=tar.gz"
+      ]
+    },
+    {
+      "ref": "pkg:pypi/[email protected]?extension=tar.gz",
+      "dependsOn": []
+    }
+  ]
+}

tests/fixtures/json/1.4/bom_dependencies_component.json

@@ -0,0 +1,104 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.4",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2021-09-01T10:50:42.051979+00:00",
+    "tools": [
+      {
+        "vendor": "CycloneDX",
+        "name": "cyclonedx-python-lib",
+        "version": "VERSION",
+        "externalReferences": [
+          {
+            "type": "build-system",
+            "url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions"
+          },
+          {
+            "type": "distribution",
+            "url": "https://pypi.org/project/cyclonedx-python-lib/"
+          },
+          {
+            "type": "documentation",
+            "url": "https://cyclonedx.github.io/cyclonedx-python-lib/"
+          },
+          {
+            "type": "issue-tracker",
+            "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues"
+          },
+          {
+            "type": "license",
+            "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE"
+          },
+          {
+            "type": "release-notes",
+            "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md"
+          },
+          {
+            "type": "vcs",
+            "url": "https://github.com/CycloneDX/cyclonedx-python-lib"
+          },
+          {
+            "type": "website",
+            "url": "https://cyclonedx.org"
+          }
+        ]
+      }
+    ],
+    "component": {
+      "type": "library",
+      "bom-ref": "pkg:pypi/[email protected]?extension=tar.gz",
+      "author": "Test Author",
+      "name": "setuptools",
+      "version": "50.3.2",
+      "licenses": [
+        {
+          "expression": "MIT License"
+        }
+      ],
+      "purl": "pkg:pypi/[email protected]?extension=tar.gz"
+    }
+  },
+  "components": [
+     {
+      "type": "library",
+      "bom-ref": "pkg:pypi/[email protected]?extension=tar.gz",
+      "name": "toml",
+      "version": "0.10.2",
+      "purl": "pkg:pypi/[email protected]?extension=tar.gz",
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b"
+        }
+      ],
+      "externalReferences": [
+        {
+          "type": "distribution",
+          "url": "https://cyclonedx.org",
+          "comment": "No comment",
+          "hashes": [
+            {
+              "alg": "SHA-256",
+              "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "pkg:pypi/[email protected]?extension=tar.gz",
+      "dependsOn": [
+        "pkg:pypi/[email protected]?extension=tar.gz"
+      ]
+    },
+    {
+      "ref": "pkg:pypi/[email protected]?extension=tar.gz",
+      "dependsOn": []
+    }
+  ]
+}

tests/fixtures/xml/1.2/bom_dependencies_component.xml

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.2" version="1">
+    <metadata>
+        <timestamp>2021-09-01T10:50:42.051979+00:00</timestamp>
+        <tools>
+            <tool>
+                <vendor>CycloneDX</vendor>
+                <name>cyclonedx-python-lib</name>
+                <version>VERSION</version>
+            </tool>
+        </tools>
+        <component type="library" bom-ref="pkg:pypi/[email protected]?extension=tar.gz">
+            <author>Test Author</author>
+            <name>setuptools</name>
+            <version>50.3.2</version>
+            <licenses>
+                <expression>MIT License</expression>
+            </licenses>
+            <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+        </component>
+    </metadata>
+    <components>
+        <component type="library" bom-ref="pkg:pypi/[email protected]?extension=tar.gz">
+            <name>toml</name>
+            <version>0.10.2</version>
+            <hashes>
+                <hash alg="SHA-256">806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b</hash>
+            </hashes>
+            <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+            <externalReferences>
+                <reference type="distribution">
+                    <url>https://cyclonedx.org</url>
+                    <comment>No comment</comment>
+                </reference>
+            </externalReferences>
+        </component>
+    </components>
+    <dependencies>
+        <dependency ref="pkg:pypi/[email protected]?extension=tar.gz">
+            <dependency ref="pkg:pypi/[email protected]?extension=tar.gz"></dependency>
+        </dependency>
+        <dependency ref="pkg:pypi/[email protected]?extension=tar.gz"></dependency>
+    </dependencies>
+</bom>

tests/fixtures/xml/1.3/bom_dependencies_component.xml

@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
+    <metadata>
+        <timestamp>2021-09-01T10:50:42.051979+00:00</timestamp>
+        <tools>
+            <tool>
+                <vendor>CycloneDX</vendor>
+                <name>cyclonedx-python-lib</name>
+                <version>VERSION</version>
+            </tool>
+        </tools>
+        <component type="library" bom-ref="pkg:pypi/[email protected]?extension=tar.gz">
+            <author>Test Author</author>
+            <name>setuptools</name>
+            <version>50.3.2</version>
+            <licenses>
+                <expression>MIT License</expression>
+            </licenses>
+            <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+        </component>
+    </metadata>
+    <components>
+        <component type="library" bom-ref="pkg:pypi/[email protected]?extension=tar.gz">
+            <name>toml</name>
+            <version>0.10.2</version>
+            <hashes>
+                <hash alg="SHA-256">806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b</hash>
+            </hashes>
+            <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+            <externalReferences>
+                <reference type="distribution">
+                    <url>https://cyclonedx.org</url>
+                    <comment>No comment</comment>
+                    <hashes>
+                        <hash alg="SHA-256">806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b</hash>
+                    </hashes>
+                </reference>
+            </externalReferences>
+        </component>
+    </components>
+    <dependencies>
+        <dependency ref="pkg:pypi/[email protected]?extension=tar.gz">
+            <dependency ref="pkg:pypi/[email protected]?extension=tar.gz"></dependency>
+        </dependency>
+        <dependency ref="pkg:pypi/[email protected]?extension=tar.gz"></dependency>
+    </dependencies>
+</bom>