Remove references to filtered out components from dependency roots

Author: jasonpaulos

src/Microsoft.ComponentDetection.Orchestrator/Services/GraphTranslation/DefaultGraphTranslationService.cs

@@ -46,6 +46,7 @@ public ScanResult GenerateScanResultFromProcessingResult(
         {
             componentsToOutput = FilterOutBaseImageComponents(componentsToOutput, detectorProcessingResult.ContainersDetailsMap);
             PruneFilteredComponentsFromGraphs(dependencyGraphs, componentsToOutput);
+            PruneFilteredComponentReferrers(componentsToOutput);
         }
 
         return new DefaultGraphScanResult
@@ -162,6 +163,22 @@ private static void PruneFilteredComponentsFromGraphs(DependencyGraphCollection
         }
     }
 
+    /// <summary>
+    /// Removes references to filtered-out components from the DependencyRoots and AncestralDependencyRoots
+    /// of retained components, so that TopLevelReferrers and AncestralReferrers in the output don't
+    /// reference components that were removed from ComponentsFound.
+    /// </summary>
+    private static void PruneFilteredComponentReferrers(List<DetectedComponent> retainedComponents)
+    {
+        var retainedIds = new HashSet<string>(retainedComponents.Select(c => c.Component.Id));
+
+        foreach (var component in retainedComponents)
+        {
+            component.DependencyRoots?.RemoveWhere(root => !retainedIds.Contains(root.Id));
+            component.AncestralDependencyRoots?.RemoveWhere(root => !retainedIds.Contains(root.Id));
+        }
+    }
+
     private static ConcurrentHashSet<string> MergeTargetFrameworks(ConcurrentHashSet<string> left, ConcurrentHashSet<string> right)
     {
         if (left == null && right == null)

test/Microsoft.ComponentDetection.Orchestrator.Tests/Services/DefaultGraphTranslationServiceTests.cs

@@ -778,4 +778,48 @@ public void FilterBaseImageComponents_DependencyGraphsUnchangedWhenFlagDisabled(
         graph.Should().ContainKey(retainedComponent.Component.Id);
         graph.Should().ContainKey(baseImageComponent.Component.Id);
     }
+
+    [TestMethod]
+    public void FilterBaseImageComponents_PrunesReferrersToFilteredComponents()
+    {
+        var filePath = Path.Join(this.sourceDirectory.FullName, "file1");
+        var singleFileRecorder = this.componentRecorder.CreateSingleFileComponentRecorder(filePath);
+
+        // base-pkg is a root that depends on child-pkg (non-base-image).
+        var baseImageComponent = new DetectedComponent(new NpmComponent("base-pkg", "1.0.0"), containerDetailsId: 1, containerLayerId: 0);
+        var childComponent = new DetectedComponent(new NpmComponent("child-pkg", "1.0.0"), containerDetailsId: 1, containerLayerId: 1);
+
+        singleFileRecorder.RegisterUsage(baseImageComponent, isExplicitReferencedDependency: true);
+        singleFileRecorder.RegisterUsage(childComponent, parentComponentId: baseImageComponent.Component.Id);
+
+        var containerDetailsMap = new Dictionary<int, ContainerDetails>
+        {
+            [1] = new ContainerDetails
+            {
+                Id = 1,
+                Layers = [new DockerLayer { LayerIndex = 0, IsBaseImage = true }, new DockerLayer { LayerIndex = 1, IsBaseImage = false }],
+            },
+        };
+
+        var processingResult = new DetectorProcessingResult
+        {
+            ResultCode = ProcessingResultCode.Success,
+            ContainersDetailsMap = containerDetailsMap,
+            ComponentRecorders = [(this.componentDetectorMock.Object, this.componentRecorder)],
+        };
+
+        var result = this.serviceUnderTest.GenerateScanResultFromProcessingResult(
+            processingResult, new ScanSettings { SourceDirectory = this.sourceDirectory, FilterBaseImageComponents = true });
+
+        // Only child-pkg should remain (base-pkg is exclusively from base image layer).
+        result.ComponentsFound.Should().HaveCount(1);
+        var child = result.ComponentsFound.Single();
+        ((NpmComponent)child.Component).Name.Should().Be("child-pkg");
+
+        // TopLevelReferrers should not reference the filtered base-image component.
+        child.TopLevelReferrers?.Should().NotContain(c => c.Id == baseImageComponent.Component.Id);
+
+        // AncestralReferrers should not reference the filtered base-image component.
+        child.AncestralReferrers?.Should().NotContain(c => c.Id == baseImageComponent.Component.Id);
+    }
 }