License list sometimes missing nested components

[pasieronen]

For example, this SBOM

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "components": [
    {
      "name": "one",
      "type": "library",
      "components": [
        {
          "type": "library",
          "name": "two",
          "licenses": [{"license": {"id": "BSD-3-Clause"}}]
        }
      ]
    }
  ]
}

When run through

./sbom-utility license list --input-file test.cdx.json 

products a license list containing just component "one", but not component "two":

usage-policy  license-type  license      resource-name  bom-ref  bom-location  license-id  license-name  license-expression  license-url  license-text-encoding  license-text-content-type  license-text-content  purl
------------  ------------  -------      -------------  -------  ------------  ----------  ------------  ------------------  -----------  ---------------------  -------------------------  --------------------  ----
UNDEFINED     invalid       NOASSERTION  one                     components                                                                                               

If component "one" has a license, then both components are correctly printed.

Tested with sbom-utility version 0.18.1 (latest).

[mrutkows]

Hmm, we are trying as much as possible, to eliminate the nesting of components (still the only way we have in 1.x to sign assemblies); new logic would have to be added to effectively flatten nested components into an array (which is the basis for search/query, etc.).

Would you want to take a stab at this?

[pasieronen]

I'm not at all familiar with the code, but fixing the recursion turned out to be really simple (there was just an extra return statement), my attempt in #146