Merge branch 'main' into feat/model-card

Author: wiebe-vandendriessche

CHANGELOG.md

@@ -2,6 +2,41 @@
 
 <!-- version list -->
 
+## v11.10.0 (2026-06-11)
+
+### Bug Fixes
+
+- Lossless flattening of dependency graph during JSON serialization
+  ([#993](https://github.com/CycloneDX/cyclonedx-python-lib/pull/993),
+  [`d0e10ca`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/d0e10ca147dfece8bd7c76b104d7579255879679))
+
+- Typing in `contrib.bom.utils.BomDependencyGraphFlatMerger`
+  ([#998](https://github.com/CycloneDX/cyclonedx-python-lib/pull/998),
+  [`988a937`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/988a9372a676358b29e67573c9f39d94121824bc))
+
+### Documentation
+
+- Improve docs of `contrib.bom.utils.BomRefDiscriminator`
+  ([#996](https://github.com/CycloneDX/cyclonedx-python-lib/pull/996),
+  [`9beaf5c`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/9beaf5c6b35a8739727572c0e351063849d876fc))
+
+### Features
+
+- Add `contrib.bom.utils.BomDependencyGraphFlatMerger`
+  ([#997](https://github.com/CycloneDX/cyclonedx-python-lib/pull/997),
+  [`78b8d8b`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/78b8d8b94b26df14d0194b3d44a5db8a76f1fa47))
+
+- Move `output.BomRefDiscriminator` to `contrib.bom.utils.BomRefDiscriminator`
+  ([#995](https://github.com/CycloneDX/cyclonedx-python-lib/pull/995),
+  [`3bb87aa`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/3bb87aabbc421aabac307305217c7975e63b43eb))
+
+### Performance Improvements
+
+- `contrib.bom.utils.bomdependencygraphflatmerger._flatten_merge`
+  ([#999](https://github.com/CycloneDX/cyclonedx-python-lib/pull/999),
+  [`a8579b8`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/a8579b87f7e121ebbec16b9f05bdb3b4de11e71c))
+
+
 ## v11.9.0 (2026-06-08)
 
 ### Features

cyclonedx/__init__.py

@@ -22,4 +22,4 @@
 
 # !! version is managed by semantic_release
 # do not use typing here, or else `semantic_release` might have issues finding the variable
-__version__ = "11.9.0"  # noqa:Q000
+__version__ = "11.10.0"  # noqa:Q000

cyclonedx/contrib/bom/__init__.py

@@ -0,0 +1,18 @@
+# This file is part of CycloneDX Python Library
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+
+"""Bom related functionality"""

cyclonedx/contrib/bom/utils.py

@@ -0,0 +1,170 @@
+# This file is part of CycloneDX Python Library
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+
+"""Bom related utilities"""
+
+__all__ = ['BomRefDiscriminator', 'BomDependencyGraphFlatMerger']
+
+from collections.abc import Iterable
+from itertools import chain
+from random import random
+from typing import TYPE_CHECKING, Any
+
+from ...model.dependency import Dependency
+
+if TYPE_CHECKING:  # pragma: no cover
+    from ...model.bom import Bom
+    from ...model.bom_ref import BomRef
+
+
+class BomRefDiscriminator:
+    """
+    Ensure that a collection of BomRef objects
+    has unique, non‑empty :attr:`cyclonedx.model.bom_ref.BomRef.value`.
+
+    The discriminator inspects each provided BomRef and assigns a newly
+    generated identifier to any instance whose ``value`` is missing or
+    duplicates an earlier one.
+    All original values are preserved and can be restored via :meth:`reset()`
+    or by using this class as a context manager.
+    """
+
+    def __init__(self, bomrefs: Iterable['BomRef'], prefix: str = 'BomRef') -> None:
+        # NOTE: do not use dict/set here, different BomRefs with same value
+        #       have same hash and would shadow each other.
+        self._bomrefs = tuple((bomref, bomref.value) for bomref in bomrefs)
+        self._prefix = prefix
+
+    def __enter__(self) -> None:
+        self.discriminate()
+
+    def __exit__(self, exc_type: Any, exc_val: Any, exc_tb: Any) -> None:
+        self.reset()
+
+    def discriminate(self) -> None:
+        """
+        Enforce uniqueness across all
+        :attr:`cyclonedx.model.bom_ref.BomRef.value`s.
+
+        Any BomRef whose ``value`` is ``None`` or duplicates a previously
+        encountered value is assigned a newly generated unique identifier.
+        """
+        known_values = []
+        for bomref, _ in self._bomrefs:
+            value = bomref.value
+            if value is None or value in known_values:
+                value = self._make_unique()
+                bomref.value = value
+            known_values.append(value)
+
+    def reset(self) -> None:
+        """
+        Restore all :attr:`cyclonedx.model.bom_ref.BomRef.value`s to
+        their original state.
+        """
+        for bomref, original_value in self._bomrefs:
+            bomref.value = original_value
+
+    def _make_unique(self) -> str:
+        return f'{self._prefix}{str(random())[1:]}{str(random())[1:]}'  # nosec B311
+
+    @classmethod
+    def from_bom(cls, bom: 'Bom', prefix: str = 'BomRef') -> 'BomRefDiscriminator':
+        """
+        Create a discriminator for all :class:`cyclonedx.model.bom_ref.BomRefs`
+        contained within a Bom.
+
+        This includes BomRefs from
+          * :attr:`cyclonedx.model.bom.Bom.components`
+          * :attr:`cyclonedx.model.bom.Bom.services`
+          * :attr:`cyclonedx.model.bom.Bom.vulnerabilities`
+        """
+        return cls(chain(
+            map(lambda c: c.bom_ref, bom._get_all_components()),
+            map(lambda s: s.bom_ref, bom.services),
+            map(lambda v: v.bom_ref, bom.vulnerabilities)
+        ), prefix)
+
+
+class BomDependencyGraphFlatMerger:
+    """
+    Context‑manager utility that temporarily flattens and merges all
+    :attr:`cyclonedx.model.bom.Bom.dependencies`.
+
+    When used as a context manager, the :class:`cyclonedx.model.bom.Bom`'s
+    dependency graph is replaced with a flattened, merged representation
+    for the duration of the ``with`` block and automatically restored
+    afterward.
+    """
+
+    def __init__(self, bom: 'Bom') -> None:
+        self._bom = bom
+        # NOTE: do not use the getter - see `reset()` for reasons.
+        self._deps = self._bom._dependencies
+
+    def __enter__(self) -> None:
+        self.flatten_merge()
+
+    def __exit__(self, exc_type: Any, exc_val: Any, exc_tb: Any) -> None:
+        self.reset()
+
+    def flatten_merge(self) -> None:
+        """
+        Flatten and merge all :attr:`cyclonedx.model.bom.Bom.dependencies`.
+
+        This produces a non‑recursive, merged representation of the entire
+        dependency graph and assigns it to the Bom.
+
+        .. note::
+           The original dependency graph is not modified. A new, flattened
+           dependency structure is assigned to the Bom.
+        """
+        self._bom.dependencies = self._flatten_merge(self._deps)
+
+    def reset(self) -> None:
+        """
+        Restore the :class:`cyclonedx.model.bom.Bom`'s dependency graph to
+        its original state.
+
+        .. note::
+           This does not modify the dependency graph. It simply reassigns
+           the original dependency collection back to the Bom.
+        """
+        # NOTE: not using the setter, which would create overhead,
+        #       and - most importantly - this could cause deduplication of an existing malformed set.
+        #       Just access the internal field directly!
+        self._bom._dependencies = self._deps
+
+    @staticmethod
+    def _flatten_merge(deps: Iterable[Dependency]) -> Iterable[Dependency]:
+        flat: dict['BomRef', list['BomRef']] = {}
+        todos = list(deps)
+        seen: set[int] = set()
+        while todos:
+            todo = todos.pop()
+            if (todo_id := id(todo)) in seen:
+                continue
+            seen.add(todo_id)
+            ds = flat.setdefault(todo.ref, [])
+            if todo_deps := todo.dependencies:
+                ds.extend(d.ref for d in todo_deps)
+                todos.extend(todo_deps)
+        return (
+            Dependency(br, (Dependency(d) for d in ds))
+            for br, ds
+            in flat.items()
+        )

cyclonedx/output/__init__.py

@@ -22,17 +22,21 @@
 """
 
 import os
+import sys
 from abc import ABC, abstractmethod
-from collections.abc import Iterable, Mapping
-from itertools import chain
-from random import random
+from collections.abc import Mapping
 from typing import TYPE_CHECKING, Any, Literal, Optional, Union, overload
 
+if sys.version_info >= (3, 13):
+    from warnings import deprecated
+else:
+    from typing_extensions import deprecated
+
+from ..contrib.bom.utils import BomRefDiscriminator as _BomRefDiscriminator
 from ..schema import OutputFormat, SchemaVersion
 
 if TYPE_CHECKING:  # pragma: no cover
     from ..model.bom import Bom
-    from ..model.bom_ref import BomRef
     from .json import Json as JsonOutputter
     from .xml import Xml as XmlOutputter
 
@@ -138,40 +142,19 @@ def make_outputter(bom: 'Bom', output_format: OutputFormat, schema_version: Sche
         raise ValueError(f'Unknown {output_format.name}/schema_version: {schema_version!r}')
     return klass(bom)
 
+# region deprecated re-export
 
-class BomRefDiscriminator:
-
-    def __init__(self, bomrefs: Iterable['BomRef'], prefix: str = 'BomRef') -> None:
-        # do not use dict/set here, different BomRefs with same value have same hash and would shadow each other
-        self._bomrefs = tuple((bomref, bomref.value) for bomref in bomrefs)
-        self._prefix = prefix
-
-    def __enter__(self) -> None:
-        self.discriminate()
 
-    def __exit__(self, exc_type: Any, exc_val: Any, exc_tb: Any) -> None:
-        self.reset()
+@deprecated('Deprecated re-export location - see docstring of "BomRefDiscriminator" for details.')
+class BomRefDiscriminator(_BomRefDiscriminator):
+    """Deprecated — Alias of :class:`cyclonedx.contrib.bom.utils.BomRefDiscriminator`.
 
-    def discriminate(self) -> None:
-        known_values = []
-        for bomref, _ in self._bomrefs:
-            value = bomref.value
-            if value is None or value in known_values:
-                value = self._make_unique()
-                bomref.value = value
-            known_values.append(value)
-
-    def reset(self) -> None:
-        for bomref, original_value in self._bomrefs:
-            bomref.value = original_value
+    .. deprecated:: next
+        This re-export location is deprecated.
+        Use ``from cyclonedx.contrib.bom.utils import BomRefDiscriminator`` instead.
+        The exported symbol itself is NOT deprecated — only this import path.
+    """
+    pass
 
-    def _make_unique(self) -> str:
-        return f'{self._prefix}{str(random())[1:]}{str(random())[1:]}'  # nosec B311
 
-    @classmethod
-    def from_bom(cls, bom: 'Bom', prefix: str = 'BomRef') -> 'BomRefDiscriminator':
-        return cls(chain(
-            map(lambda c: c.bom_ref, bom._get_all_components()),
-            map(lambda s: s.bom_ref, bom.services),
-            map(lambda v: v.bom_ref, bom.vulnerabilities)
-        ), prefix)
+# endregion deprecated re-export

cyclonedx/output/json.py

@@ -19,6 +19,7 @@
 from json import dumps as json_dumps, loads as json_loads
 from typing import TYPE_CHECKING, Any, Literal, Optional, Union
 
+from ..contrib.bom.utils import BomDependencyGraphFlatMerger, BomRefDiscriminator
 from ..exception.output import FormatNotSupportedException
 from ..schema import OutputFormat, SchemaVersion
 from ..schema.schema import (
@@ -33,7 +34,7 @@
     SchemaVersion1Dot6,
     SchemaVersion1Dot7,
 )
-from . import BaseOutput, BomRefDiscriminator
+from . import BaseOutput
 
 if TYPE_CHECKING:  # pragma: no cover
     from ..model.bom import Bom
@@ -71,9 +72,10 @@ def generate(self, force_regeneration: bool = False) -> None:
         bom = self.get_bom()
         bom.validate()
         with BomRefDiscriminator.from_bom(bom):
-            bom_json: dict[str, Any] = json_loads(
-                bom.as_json(  # type:ignore[attr-defined]
-                    view_=_view))
+            with BomDependencyGraphFlatMerger(bom):
+                bom_json: dict[str, Any] = json_loads(
+                    bom.as_json(  # type:ignore[attr-defined]
+                        view_=_view))
         bom_json.update(_json_core)
         self._bom_json = bom_json
         self.generated = True

cyclonedx/output/xml.py

@@ -20,6 +20,7 @@
 from xml.dom.minidom import parseString as dom_parseString  # nosec B408
 from xml.etree.ElementTree import Element as XmlElement, tostring as xml_dumps  # nosec B405
 
+from ..contrib.bom.utils import BomRefDiscriminator
 from ..schema import OutputFormat, SchemaVersion
 from ..schema.schema import (
     SCHEMA_VERSIONS,
@@ -33,7 +34,7 @@
     SchemaVersion1Dot6,
     SchemaVersion1Dot7,
 )
-from . import BaseOutput, BomRefDiscriminator
+from . import BaseOutput
 
 if TYPE_CHECKING:  # pragma: no cover
     from ..model.bom import Bom

docs/conf.py

@@ -23,7 +23,7 @@
 
 # The full version, including alpha/beta/rc tags
 # !! version is managed by semantic_release
-release = '11.9.0'
+release = '11.10.0'
 
 # -- General configuration ---------------------------------------------------
 

pyproject.toml

@@ -5,7 +5,7 @@ build-backend = "poetry.core.masonry.api"
 [tool.poetry]
 name = "cyclonedx-python-lib"
 # !! version is managed by semantic_release
-version = "11.9.0"
+version = "11.10.0"
 description = "Python library for CycloneDX"
 authors = [
   "Paul Horton <phorton@sonatype.com>",

tests/__init__.py

@@ -25,7 +25,7 @@
 
 from sortedcontainers import SortedSet
 
-from cyclonedx.output import BomRefDiscriminator as _BomRefDiscriminator
+from cyclonedx.contrib.bom.utils import BomRefDiscriminator as _BomRefDiscriminator
 from cyclonedx.schema import OutputFormat, SchemaVersion
 
 if TYPE_CHECKING: