fix: lossless flattening of dependency graph during JSON serialization

cyclonedx/output/json.py

@@ -16,10 +16,12 @@
 # Copyright (c) OWASP Foundation. All Rights Reserved.
 
 from abc import abstractmethod
+from itertools import chain
 from json import dumps as json_dumps, loads as json_loads
-from typing import TYPE_CHECKING, Any, Literal, Optional, Union
+from typing import TYPE_CHECKING, Any, Iterable, Literal, Optional, Union
 
 from ..exception.output import FormatNotSupportedException
+from ..model.dependency import Dependency
 from ..schema import OutputFormat, SchemaVersion
 from ..schema.schema import (
     SCHEMA_VERSIONS,
@@ -39,6 +41,48 @@
     from ..model.bom import Bom
 
 
+class _BomDependencyGraphFlattener:
+    """
+    !!! THIS CLASS IS INTERNAL.
+    Everything might change without any notice.
+    """
+
+    def __init__(self, bom: 'Bom'):
+        self._bom = bom
+        # do NOT use the getter - see `reset()` for reasons
+        self._deps = self._bom._dependencies
+
+    def __enter__(self) -> None:
+        self.flatten()
+
+    def __exit__(self, exc_type: Any, exc_val: Any, exc_tb: Any) -> None:
+        self.reset()
+
+    def reset(self) -> None:
+        # Do NOT use the setter - this would create overhead and most importantly,
+        # and this could cause deduplication of an existing malformed set.
+        # Just access the internal field directly!
+        self._bom._dependencies = self._deps
+
+    def flatten(self) -> None:
+        self._bom.dependencies = chain.from_iterable(
+            self.__flatten_dep(dep) for dep in self._deps
+        )
+
+    @staticmethod
+    def __flatten_dep(dep: Dependency) -> Iterable[Dependency]:
+        if not dep.dependencies:
+            return dep,
+        flat: list[Dependency] = []
+        todos: list[Dependency] = [dep]
+        while todos:
+            todo = todos.pop()
+            if todo.dependencies:
+                flat.append(Dependency(todo.ref, (Dependency(d.ref) for d in todo.dependencies)))
+                todos.extend(todo.dependencies)
+        return flat
+
+
 class Json(BaseOutput, BaseSchemaVersion):
 
     def __init__(self, bom: 'Bom') -> None:
@@ -70,10 +114,12 @@ def generate(self, force_regeneration: bool = False) -> None:
         _view = SCHEMA_VERSIONS.get(self.schema_version_enum)
         bom = self.get_bom()
         bom.validate()
+        # utilize contrib.dependency.flatten() somewhere here
         with BomRefDiscriminator.from_bom(bom):
-            bom_json: dict[str, Any] = json_loads(
-                bom.as_json(  # type:ignore[attr-defined]
-                    view_=_view))
+            with _BomDependencyGraphFlattener(bom):
+                bom_json: dict[str, Any] = json_loads(
+                    bom.as_json(  # type:ignore[attr-defined]
+                        view_=_view))
         bom_json.update(_json_core)
         self._bom_json = bom_json
         self.generated = True

tests/_data/models.py

@@ -1589,6 +1589,45 @@ def get_bom_for_issue540_duplicate_components() -> Bom:
     bom.register_dependency(component1, [component3])
     return bom
 
+
+def get_bom_for_issue941_nested_dependencies_irreversible_migrate() -> Bom:
+    bom = _make_bom()
+    bom.metadata.component = root_component = Component(
+        name='myApp',
+        type=ComponentType.APPLICATION,
+        bom_ref='myApp'
+    )
+
+    component1 = Component(
+        type=ComponentType.LIBRARY,
+        name='some-library',
+        bom_ref='some-library1'
+    )
+    bom.components.add(component1)
+
+    component2 = Component(
+        type=ComponentType.LIBRARY,
+        name='some-library',
+        bom_ref='some-library2'
+    )
+    bom.components.add(component2)
+
+    bom.dependencies.add(
+        Dependency(
+            root_component.bom_ref,
+            dependencies=[
+                Dependency(
+                    component1.bom_ref,
+                    dependencies=[
+                        Dependency(component2.bom_ref)
+                    ]
+                )
+            ]
+        )
+    )
+
+    return bom
+
 # ---
 
 

tests/_data/snapshots/get_bom_for_issue941_nested_dependencies_irreversible_migrate-1.0.xml.bin

@@ -0,0 +1,15 @@
+<?xml version="1.0" ?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.0" version="1">
+  <components>
+    <component type="library">
+      <name>some-library</name>
+      <version/>
+      <modified>false</modified>
+    </component>
+    <component type="library">
+      <name>some-library</name>
+      <version/>
+      <modified>false</modified>
+    </component>
+  </components>
+</bom>

tests/_data/snapshots/get_bom_for_issue941_nested_dependencies_irreversible_migrate-1.1.xml.bin

@@ -0,0 +1,13 @@
+<?xml version="1.0" ?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.1" serialNumber="urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac" version="1">
+  <components>
+    <component type="library" bom-ref="some-library1">
+      <name>some-library</name>
+      <version/>
+    </component>
+    <component type="library" bom-ref="some-library2">
+      <name>some-library</name>
+      <version/>
+    </component>
+  </components>
+</bom>

tests/_data/snapshots/get_bom_for_issue941_nested_dependencies_irreversible_migrate-1.2.json.bin

@@ -0,0 +1,50 @@
+{
+  "components": [
+    {
+      "bom-ref": "some-library1",
+      "name": "some-library",
+      "type": "library",
+      "version": ""
+    },
+    {
+      "bom-ref": "some-library2",
+      "name": "some-library",
+      "type": "library",
+      "version": ""
+    }
+  ],
+  "dependencies": [
+    {
+      "dependsOn": [
+        "some-library1"
+      ],
+      "ref": "myApp"
+    },
+    {
+      "dependsOn": [
+        "some-library2"
+      ],
+      "ref": "some-library1"
+    },
+    {
+      "ref": "some-library1"
+    },
+    {
+      "ref": "some-library2"
+    }
+  ],
+  "metadata": {
+    "component": {
+      "bom-ref": "myApp",
+      "name": "myApp",
+      "type": "application",
+      "version": ""
+    },
+    "timestamp": "2023-01-07T13:44:32.312678+00:00"
+  },
+  "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac",
+  "version": 1,
+  "$schema": "http://cyclonedx.org/schema/bom-1.2b.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.2"
+}

tests/_data/snapshots/get_bom_for_issue941_nested_dependencies_irreversible_migrate-1.2.xml.bin

@@ -0,0 +1,29 @@
+<?xml version="1.0" ?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.2" serialNumber="urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac" version="1">
+  <metadata>
+    <timestamp>2023-01-07T13:44:32.312678+00:00</timestamp>
+    <component type="application" bom-ref="myApp">
+      <name>myApp</name>
+      <version/>
+    </component>
+  </metadata>
+  <components>
+    <component type="library" bom-ref="some-library1">
+      <name>some-library</name>
+      <version/>
+    </component>
+    <component type="library" bom-ref="some-library2">
+      <name>some-library</name>
+      <version/>
+    </component>
+  </components>
+  <dependencies>
+    <dependency ref="myApp">
+      <dependency ref="some-library1">
+        <dependency ref="some-library2"/>
+      </dependency>
+    </dependency>
+    <dependency ref="some-library1"/>
+    <dependency ref="some-library2"/>
+  </dependencies>
+</bom>

tests/_data/snapshots/get_bom_for_issue941_nested_dependencies_irreversible_migrate-1.3.json.bin

@@ -0,0 +1,50 @@
+{
+  "components": [
+    {
+      "bom-ref": "some-library1",
+      "name": "some-library",
+      "type": "library",
+      "version": ""
+    },
+    {
+      "bom-ref": "some-library2",
+      "name": "some-library",
+      "type": "library",
+      "version": ""
+    }
+  ],
+  "dependencies": [
+    {
+      "dependsOn": [
+        "some-library1"
+      ],
+      "ref": "myApp"
+    },
+    {
+      "dependsOn": [
+        "some-library2"
+      ],
+      "ref": "some-library1"
+    },
+    {
+      "ref": "some-library1"
+    },
+    {
+      "ref": "some-library2"
+    }
+  ],
+  "metadata": {
+    "component": {
+      "bom-ref": "myApp",
+      "name": "myApp",
+      "type": "application",
+      "version": ""
+    },
+    "timestamp": "2023-01-07T13:44:32.312678+00:00"
+  },
+  "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac",
+  "version": 1,
+  "$schema": "http://cyclonedx.org/schema/bom-1.3a.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.3"
+}

tests/_data/snapshots/get_bom_for_issue941_nested_dependencies_irreversible_migrate-1.3.xml.bin

@@ -0,0 +1,29 @@
+<?xml version="1.0" ?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac" version="1">
+  <metadata>
+    <timestamp>2023-01-07T13:44:32.312678+00:00</timestamp>
+    <component type="application" bom-ref="myApp">
+      <name>myApp</name>
+      <version/>
+    </component>
+  </metadata>
+  <components>
+    <component type="library" bom-ref="some-library1">
+      <name>some-library</name>
+      <version/>
+    </component>
+    <component type="library" bom-ref="some-library2">
+      <name>some-library</name>
+      <version/>
+    </component>
+  </components>
+  <dependencies>
+    <dependency ref="myApp">
+      <dependency ref="some-library1">
+        <dependency ref="some-library2"/>
+      </dependency>
+    </dependency>
+    <dependency ref="some-library1"/>
+    <dependency ref="some-library2"/>
+  </dependencies>
+</bom>

tests/_data/snapshots/get_bom_for_issue941_nested_dependencies_irreversible_migrate-1.4.json.bin

@@ -0,0 +1,47 @@
+{
+  "components": [
+    {
+      "bom-ref": "some-library1",
+      "name": "some-library",
+      "type": "library"
+    },
+    {
+      "bom-ref": "some-library2",
+      "name": "some-library",
+      "type": "library"
+    }
+  ],
+  "dependencies": [
+    {
+      "dependsOn": [
+        "some-library1"
+      ],
+      "ref": "myApp"
+    },
+    {
+      "dependsOn": [
+        "some-library2"
+      ],
+      "ref": "some-library1"
+    },
+    {
+      "ref": "some-library1"
+    },
+    {
+      "ref": "some-library2"
+    }
+  ],
+  "metadata": {
+    "component": {
+      "bom-ref": "myApp",
+      "name": "myApp",
+      "type": "application"
+    },
+    "timestamp": "2023-01-07T13:44:32.312678+00:00"
+  },
+  "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac",
+  "version": 1,
+  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.4"
+}

tests/_data/snapshots/get_bom_for_issue941_nested_dependencies_irreversible_migrate-1.4.xml.bin

@@ -0,0 +1,26 @@
+<?xml version="1.0" ?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac" version="1">
+  <metadata>
+    <timestamp>2023-01-07T13:44:32.312678+00:00</timestamp>
+    <component type="application" bom-ref="myApp">
+      <name>myApp</name>
+    </component>
+  </metadata>
+  <components>
+    <component type="library" bom-ref="some-library1">
+      <name>some-library</name>
+    </component>
+    <component type="library" bom-ref="some-library2">
+      <name>some-library</name>
+    </component>
+  </components>
+  <dependencies>
+    <dependency ref="myApp">
+      <dependency ref="some-library1">
+        <dependency ref="some-library2"/>
+      </dependency>
+    </dependency>
+    <dependency ref="some-library1"/>
+    <dependency ref="some-library2"/>
+  </dependencies>
+</bom>