fix: serialize dependency graph for nested components (#329)

* tests: regression tests for issue #328
* fix: for issue #328

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

cyclonedx/output/__init__.py

@@ -23,9 +23,10 @@
 import os
 from abc import ABC, abstractmethod
 from enum import Enum
-from typing import cast
+from typing import Iterable, Union, cast
 
 from ..model.bom import Bom
+from ..model.component import Component
 
 
 class OutputFormat(str, Enum):
@@ -60,6 +61,11 @@ def __init__(self, bom: Bom, **kwargs: int) -> None:
         self._bom = bom
         self._generated: bool = False
 
+    def _chained_components(self, container: Union[Bom, Component]) -> Iterable[Component]:
+        for component in container.components:
+            yield component
+            yield from self._chained_components(component)
+
     @property
     @abstractmethod
     def schema_version(self) -> SchemaVersion:

cyclonedx/output/json.py

@@ -19,11 +19,10 @@
 
 import json
 from abc import abstractmethod
-from typing import Any, Dict, Iterable, List, Optional, Union
+from typing import Any, Dict, List, Optional, Union
 
 from ..exception.output import FormatNotSupportedException
 from ..model.bom import Bom
-from ..model.component import Component
 from . import BaseOutput, SchemaVersion
 from .schema import (
     BaseSchemaVersion,
@@ -66,7 +65,7 @@ def generate(self, force_regeneration: bool = False) -> None:
 
         extras = {}
         if self.bom_supports_dependencies():
-            dep_components: Iterable[Component] = bom.components
+            dep_components = self._chained_components(bom)
             if bom.metadata.component:
                 dep_components = [bom.metadata.component, *dep_components]
             dependencies = []

cyclonedx/output/serializer/json.py

@@ -79,7 +79,7 @@ def default(self, o: Any) -> Any:
             d: Dict[Any, Any] = {}
             for k, v in o.__dict__.items():
                 # Remove leading _ in key names
-                new_key = k[1:]
+                new_key = k[1:] if k[0] == '_' else k
                 if new_key.startswith('_') or '__' in new_key:
                     continue
 

cyclonedx/output/xml.py

@@ -18,7 +18,7 @@
 # Copyright (c) OWASP Foundation. All Rights Reserved.
 
 import warnings
-from typing import Iterable, Optional
+from typing import Optional
 from xml.etree import ElementTree
 
 from sortedcontainers import SortedSet
@@ -111,7 +111,7 @@ def generate(self, force_regeneration: bool = False) -> None:
             )
 
         if self.bom_supports_dependencies() and (bom.metadata.component or bom.components):
-            dep_components: Iterable[Component] = bom.components
+            dep_components = self._chained_components(bom)
             if bom.metadata.component:
                 dep_components = [bom.metadata.component, *dep_components]
             dependencies_element = ElementTree.SubElement(self._root_bom_element, 'dependencies')

tests/data.py

@@ -320,6 +320,10 @@ def get_bom_with_nested_services() -> Bom:
 
 
 def get_bom_for_issue_275_components() -> Bom:
+    """regression test for issue #275
+    see https://github.com/CycloneDX/cyclonedx-python-lib/issues/275
+    """
+
     app = Component(bom_ref=MOCK_UUID_1, name="app", version="1.0.0")
     comp_a = Component(bom_ref=MOCK_UUID_2, name="comp_a", version="1.0.0")
     comp_b = Component(bom_ref=MOCK_UUID_3, name="comp_b", version="1.0.0")
@@ -338,17 +342,45 @@ def get_bom_for_issue_275_components() -> Bom:
 
 
 # def get_bom_for_issue_275_services() -> Bom:
-#     app = Component(name="app", version="1.0.0")
-#     serv_a = Service(name='Service A')
-#     serv_b = Service(name='Service B')
-#     serv_c = Service(name='Service C')
+#    """regression test for issue #275
+#    see https://github.com/CycloneDX/cyclonedx-python-lib/issues/275
+#    """
+#    app = Component(name="app", version="1.0.0")
+#    serv_a = Service(name='Service A')
+#    serv_b = Service(name='Service B')
+#    serv_c = Service(name='Service C')
 #
-#     serv_b.services.add(serv_c)
-#     serv_b.dependencies.add(serv_c.bom_ref)
+#    serv_b.services.add(serv_c)
+#    serv_b.dependencies.add(serv_c.bom_ref)
 #
-#     bom = Bom(services=[serv_a, serv_b])
-#     bom.metadata.component = app
-#     return bom
+#    bom = Bom(services=[serv_a, serv_b])
+#    bom.metadata.component = app
+#    return bom
+
+
+def get_bom_for_issue_328_components() -> Bom:
+    """regression test for issue #328
+    see https://github.com/CycloneDX/cyclonedx-python-lib/issues/328
+    """
+
+    comp_root = Component(component_type=ComponentType.APPLICATION,
+                          name='my-project', version='1', bom_ref='my-project')
+    comp_a = Component(name='A', version='0.1', bom_ref='component-A')
+    comp_b = Component(name='B', version='1.0', bom_ref='component-B')
+    comp_c = Component(name='C', version='1.0', bom_ref='component-C')
+
+    # Make a tree of components A -> B -> C
+    comp_a.components = [comp_b]
+    comp_b.components = [comp_c]
+    # Declare dependencies the same way: A -> B -> C
+    comp_a.dependencies = [comp_b.bom_ref]
+    comp_b.dependencies = [comp_c.bom_ref]
+
+    bom = Bom()
+    bom.metadata.component = comp_root
+    comp_root.dependencies = [comp_a.bom_ref]
+    bom.components = [comp_a]
+    return bom
 
 
 def get_component_setuptools_complete(include_pedigree: bool = True) -> Component:
@@ -376,7 +408,8 @@ def get_component_setuptools_complete(include_pedigree: bool = True) -> Componen
 
 
 def get_component_setuptools_simple(
-        bom_ref: Optional[str] = 'pkg:pypi/[email protected]?extension=tar.gz') -> Component:
+    bom_ref: Optional[str] = 'pkg:pypi/[email protected]?extension=tar.gz'
+) -> Component:
     return Component(
         name='setuptools', version='50.3.2',
         bom_ref=bom_ref,

tests/fixtures/json/1.2/bom_dependencies.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.2b.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.2",
-  "serialNumber": "urn:uuid:7ddbdb7d-6f51-4ea6-83c1-bf780cece8e2",
+  "serialNumber": "urn:uuid:6dc366e9-89eb-48cc-9ae8-49a810ce3dcb",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-01-07T11:40:00.491974+00:00",
+    "timestamp": "2023-01-07T13:45:57.575599+00:00",
     "tools": [
       {
         "vendor": "CycloneDX",

tests/fixtures/json/1.2/bom_dependencies_component.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.2b.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.2",
-  "serialNumber": "urn:uuid:d3c403f8-187f-4c3a-ae93-2d62f50689c0",
+  "serialNumber": "urn:uuid:fae7d0a5-648d-4058-be92-774ed4f974eb",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-01-07T11:40:00.538713+00:00",
+    "timestamp": "2023-01-07T13:45:57.597300+00:00",
     "tools": [
       {
         "vendor": "CycloneDX",

tests/fixtures/json/1.2/bom_external_references.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.2b.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.2",
-  "serialNumber": "urn:uuid:06480655-292f-4ab5-8d84-52ac0023a161",
+  "serialNumber": "urn:uuid:b254c902-deb4-4298-9969-027541ee365c",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-01-07T11:40:00.241228+00:00",
+    "timestamp": "2023-01-07T13:45:57.467119+00:00",
     "tools": [
       {
         "vendor": "CycloneDX",

tests/fixtures/json/1.2/bom_issue_275_components.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.2b.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.2",
-  "serialNumber": "urn:uuid:d571cf4c-efeb-4603-b744-a58a3e95410a",
+  "serialNumber": "urn:uuid:e8a76c00-84d4-447e-8bc5-d8a3cefd01f0",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-01-07T11:40:00.654095+00:00",
+    "timestamp": "2023-01-07T13:45:57.651650+00:00",
     "tools": [
       {
         "vendor": "CycloneDX",
@@ -59,6 +59,10 @@
       "dependsOn": [
         "cd3e9c95-9d41-49e7-9924-8cf0465ae789"
       ]
+    },
+    {
+      "ref": "cd3e9c95-9d41-49e7-9924-8cf0465ae789",
+      "dependsOn": []
     }
   ]
 }

tests/fixtures/json/1.2/bom_issue_328_components.json

@@ -0,0 +1,71 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.2b.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.2",
+  "serialNumber": "urn:uuid:0e7ce694-c130-4965-8716-85015b42c729",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2023-01-07T13:52:27.732107+00:00",
+    "tools": [
+      {
+        "vendor": "CycloneDX",
+        "name": "cyclonedx-python-lib",
+        "version": "3.1.2"
+      }
+    ],
+    "component": {
+      "type": "application",
+      "bom-ref": "my-project",
+      "name": "my-project",
+      "version": "1"
+    }
+  },
+  "components": [
+    {
+      "type": "library",
+      "bom-ref": "component-A",
+      "name": "A",
+      "version": "0.1",
+      "components": [
+        {
+          "type": "library",
+          "bom-ref": "component-B",
+          "name": "B",
+          "version": "1.0",
+          "components": [
+            {
+              "type": "library",
+              "bom-ref": "component-C",
+              "name": "C",
+              "version": "1.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "my-project",
+      "dependsOn": [
+        "component-A"
+      ]
+    },
+    {
+      "ref": "component-A",
+      "dependsOn": [
+        "component-B"
+      ]
+    },
+    {
+      "ref": "component-B",
+      "dependsOn": [
+        "component-C"
+      ]
+    },
+    {
+      "ref": "component-C",
+      "dependsOn": []
+    }
+  ]
+}