Skip to content

Set component Name to BOMRef if missing in SBOMGraphFromCycloneDX #1754

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
timbastin merged 2 commits into from
Feb 27, 2026
Merged

Set component Name to BOMRef if missing in SBOMGraphFromCycloneDX #1754

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d8a8ce8
Set component Name to BOMRef if missing in SBOMGraphFromCycloneDX
refoo0 Feb 27, 2026
4a788a5
fix test
refoo0 Feb 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion normalize/sbom_graph.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1496,7 +1496,7 @@ func SBOMGraphFromCycloneDX(bom *cdx.BOM, artifactName, infoSourceID string, kee
return nil, fmt.Errorf("component at index %d has missing BOMRef", idx)
}
if comp.Name == "" {
return nil, fmt.Errorf("component at index %d (%s) has missing Name", idx, comp.BOMRef)
comp.Name = comp.BOMRef // Default to BOMRef if name is missing
}

// Check for duplicate BOMRef
Expand Down
26 changes: 20 additions & 6 deletions normalize/sbom_graph_cyclonedx_validation_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package normalize
import (
"bytes"
"encoding/json"
"slices"
"testing"

cdx "github.com/CycloneDX/cyclonedx-go"
Expand Down Expand Up @@ -326,7 +327,7 @@ func TestInvalidComponentTypeValidation(t *testing.T) {

// TestSchemaBreakers tests various ways to break CycloneDX 1.6 schema validation
func TestSchemaBreakers(t *testing.T) {
t.Run("missing required component name returns error when trying to construct sbom graph", func(t *testing.T) {
t.Run("missing component name defaults to bomRef and does not break graph construction", func(t *testing.T) {
bom := &cdx.BOM{
SpecVersion: cdx.SpecVersion1_6,
BOMFormat: "CycloneDX",
Expand All @@ -341,16 +342,29 @@ func TestSchemaBreakers(t *testing.T) {
Components: &[]cdx.Component{
{
BOMRef: "pkg:npm/test@1.0.0",
// Name field is empty - should cause error in graph construction
Type: cdx.ComponentTypeLibrary,
// Name field is empty, so name would be bomRef
Type: cdx.ComponentTypeLibrary,
Version: "1.0.0",
PackageURL: "pkg:npm/test@1.0.0",
},
},
Dependencies: &[]cdx.Dependency{
{
Ref: "root",
Dependencies: &[]string{"pkg:npm/test@1.0.0"},
},
},
}

// SBOMGraphFromCycloneDX should return error for missing component name
// SBOMGraphFromCycloneDX should handle this gracefully by using bomRef as the name if name is missing
graph, err := SBOMGraphFromCycloneDX(bom, "test-artifact", "test-source", false)
assert.NotNil(t, err, "Should return error for component with missing name")
assert.Nil(t, graph, "Graph should be nil when error occurs")
assert.NoError(t, err)

component := slices.Collect(graph.Components())[0]
assert.Equal(t, "pkg:npm/test@1.0.0", component.Component.Name, "Component name should default to bomRef when name is missing")

assert.NoError(t, err)
assert.NotNil(t, graph, "Graph should be created even with missing component name (bomRef will be used as name)")
})

t.Run("invalid scope value returns error when building sbom graph", func(t *testing.T) {
Expand Down