Dependency warning for root component only

[weichslgartner]

If I create an SBOM with only a root component as follows:

from cyclonedx.model.bom import Bom, BomMetaData
from cyclonedx.model.component import Component
from cyclonedx.output.json import JsonV1Dot6

bom = Bom(metadata=BomMetaData(component=Component(name="test",version="1.2")))
print(JsonV1Dot6(bom).output_as_string())

I get the warning:

/miniforge3/envs/cyclonedx/lib/python3.11/site-packages/cyclonedx/model/bom.py:667: UserWarning: The Component this BOM is describing None has no defined dependencies which means the Dependency Graph is incomplete - you should add direct dependencies to this "root" Component to complete the Dependency Graph data.
  warn(

I can validate this SBOM with sbom-utility and to my understanding this is a valid SBOM. There should be no warning, or?

I use version cyclonedx-python-lib version 7.3.4 and Python 3.11.

[italvi]

+1, if I have a self-written product, it's possible that there are no other dependencies, so I don't understand this warning, too.

[madpah]

@weichslgartner / @italvi - can either of you share the generated SBOM which is generating this warning?

[weichslgartner]

@madpah The generated SBOM looks like this:

{
    "dependencies": [
        {
            "ref": "BomRef.14889545775697233.5684912849841712"
        }
    ],
    "metadata": {
        "component": {
            "bom-ref": "BomRef.14889545775697233.5684912849841712",
            "name": "test",
            "type": "library",
            "version": "1.2"
        },
        "timestamp": "2024-09-04T08:40:12.747535+00:00",
        "tools": [
            {
                "externalReferences": [
                    {
                        "type": "build-system",
                        "url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions"
                    },
                    {
                        "type": "distribution",
                        "url": "https://pypi.org/project/cyclonedx-python-lib/"
                    },
                    {
                        "type": "documentation",
                        "url": "https://cyclonedx-python-library.readthedocs.io/"
                    },
                    {
                        "type": "issue-tracker",
                        "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues"
                    },
                    {
                        "type": "license",
                        "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE"
                    },
                    {
                        "type": "release-notes",
                        "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md"
                    },
                    {
                        "type": "vcs",
                        "url": "https://github.com/CycloneDX/cyclonedx-python-lib"
                    },
                    {
                        "type": "website",
                        "url": "https://github.com/CycloneDX/cyclonedx-python-lib/#readme"
                    }
                ],
                "name": "cyclonedx-python-lib",
                "vendor": "CycloneDX",
                "version": "7.3.4"
            }
        ]
    },
    "serialNumber": "urn:uuid:fada3ca3-48c5-4c11-b12d-20e3cafcf37f",
    "version": 1,
    "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
    "bomFormat": "CycloneDX",
    "specVersion": "1.6"
}

[italvi]

@madpah any updates from your side? Will you further investigate on this topic? I would have provided a similar SBOM to the one @weichslgartner uploaded.

[weichslgartner]

I tried to address the issue in a PR. Feedback is welcome.

@italvi another way would be to surpress the warning as follows:

import warnings

from cyclonedx.model.bom import BomMetaData, Bom
from cyclonedx.model.component import Component
from cyclonedx.output.json import JsonV1Dot6

with warnings.catch_warnings():
    warnings.simplefilter('ignore', UserWarning)  # Turn UserWarnings into errors
    bom = Bom(metadata=BomMetaData(component=Component(name='test', version='1.2')))
    print(JsonV1Dot6(bom).output_as_string(indent=4))

[jkowalleck]

the implied reasoning of #720 make sense to me.

- # 2. if root component is set: dependencies should exist for the Component this BOM is describing
- if self.metadata.component and not any(map(
+ # 2. if root component is set and there are other components: dependencies should exist for the Component
+ # this BOM is describing
+ if self.metadata.component and len(self.components) > 0 and not any(map(
    lambda d: d.ref == self.metadata.component.bom_ref and len(d.dependencies) > 0,  # type: ignore[union-attr]
    self.dependencies
  )):

we already do not warn, if no metadata component exists.
we should also not warn, if no components exist.

PS: given the proposed changes, i'd consider this a non-breaking bug fix. what do you think?

[weichslgartner]

@jkowalleck yes, I also think that is non breaking as it only removes a warning.