Address review feedback

jasonpaulos · jasonpaulos · commit f97ff4440fa2 · 2026-06-22T16:56:36.000-04:00
diff --git a/src/Microsoft.ComponentDetection.Orchestrator/Services/GraphTranslation/DefaultGraphTranslationService.cs b/src/Microsoft.ComponentDetection.Orchestrator/Services/GraphTranslation/DefaultGraphTranslationService.cs
@@ -45,6 +45,7 @@ public ScanResult GenerateScanResultFromProcessingResult(
         if (settings.FilterBaseImageComponents)
         {
             componentsToOutput = FilterOutBaseImageComponents(componentsToOutput, detectorProcessingResult.ContainersDetailsMap);
+            PruneFilteredComponentsFromGraphs(dependencyGraphs, componentsToOutput);
         }
 
         return new DefaultGraphScanResult
@@ -74,10 +75,20 @@ internal static List<DetectedComponent> FilterOutBaseImageComponents(
             return components;
         }
 
-        return components.Where(component => !IsExclusivelyFromBaseImage(component, containerDetailsMap)).ToList();
+        // Build an indexed lookup: containerDetailId → (layerIndex → DockerLayer)
+        var layerLookup = new Dictionary<int, Dictionary<int, DockerLayer>>();
+        foreach (var (id, details) in containerDetailsMap)
+        {
+            if (details.Layers != null)
+            {
+                layerLookup[id] = details.Layers.ToDictionary(l => l.LayerIndex);
+            }
+        }
+
+        return components.Where(component => !IsExclusivelyFromBaseImage(component, layerLookup)).ToList();
     }
 
-    private static bool IsExclusivelyFromBaseImage(DetectedComponent component, Dictionary<int, ContainerDetails> containerDetailsMap)
+    private static bool IsExclusivelyFromBaseImage(DetectedComponent component, Dictionary<int, Dictionary<int, DockerLayer>> layerLookup)
     {
         // Components without container layer references are not from a container scan - keep them.
         if (component.ContainerLayerIds == null || component.ContainerLayerIds.Count == 0)
@@ -87,18 +98,15 @@ private static bool IsExclusivelyFromBaseImage(DetectedComponent component, Dict
 
         foreach (var (containerDetailId, layerIndices) in component.ContainerLayerIds)
         {
-            if (!containerDetailsMap.TryGetValue(containerDetailId, out var containerDetails) || containerDetails.Layers == null)
+            if (!layerLookup.TryGetValue(containerDetailId, out var layersByIndex))
             {
                 // If we can't resolve the container details, assume it's not a base image component.
                 return false;
             }
 
-            var layersList = containerDetails.Layers.ToList();
-
             foreach (var layerIndex in layerIndices)
             {
-                var layer = layersList.FirstOrDefault(l => l.LayerIndex == layerIndex);
-                if (layer == null || !layer.IsBaseImage)
+                if (!layersByIndex.TryGetValue(layerIndex, out var layer) || !layer.IsBaseImage)
                 {
                     // Layer not found or not from base image. Keep this component.
                     return false;
@@ -109,6 +117,42 @@ private static bool IsExclusivelyFromBaseImage(DetectedComponent component, Dict
         return true;
     }
 
+    /// <summary>
+    /// Removes component IDs from dependency graphs that are no longer present in the output components list.
+    /// </summary>
+    private static void PruneFilteredComponentsFromGraphs(DependencyGraphCollection graphs, List<DetectedComponent> retainedComponents)
+    {
+        if (graphs == null || graphs.Count == 0)
+        {
+            return;
+        }
+
+        var retainedIds = new HashSet<string>(retainedComponents.Select(c => c.Component.Id));
+
+        foreach (var graphWithMetadata in graphs.Values)
+        {
+            var graph = graphWithMetadata.Graph;
+
+            // Remove nodes that are no longer in retained components.
+            var idsToRemove = graph.Keys.Where(id => !retainedIds.Contains(id)).ToList();
+            foreach (var id in idsToRemove)
+            {
+                graph.Remove(id);
+            }
+
+            // Remove references to removed IDs from remaining nodes' dependency sets.
+            foreach (var edges in graph.Values)
+            {
+                edges?.RemoveWhere(id => !retainedIds.Contains(id));
+            }
+
+            // Clean up metadata sets.
+            graphWithMetadata.ExplicitlyReferencedComponentIds?.RemoveWhere(id => !retainedIds.Contains(id));
+            graphWithMetadata.DevelopmentDependencies?.RemoveWhere(id => !retainedIds.Contains(id));
+            graphWithMetadata.Dependencies?.RemoveWhere(id => !retainedIds.Contains(id));
+        }
+    }
+
     private static ConcurrentHashSet<string> MergeTargetFrameworks(ConcurrentHashSet<string> left, ConcurrentHashSet<string> right)
     {
         if (left == null && right == null)
diff --git a/test/Microsoft.ComponentDetection.Orchestrator.Tests/Services/DefaultGraphTranslationServiceTests.cs b/test/Microsoft.ComponentDetection.Orchestrator.Tests/Services/DefaultGraphTranslationServiceTests.cs
@@ -568,7 +568,7 @@ public void GenerateScanResult_MultipleRichAndBare_BareGraphDataAbsorbedByAllRic
     [TestMethod]
     public void FilterBaseImageComponents_RemovesComponentsExclusivelyFromBaseImageLayers()
     {
-        var singleFileRecorder = this.componentRecorder.CreateSingleFileComponentRecorder(Path.Join(this.sourceDirectory.FullName, "/file1"));
+        var singleFileRecorder = this.componentRecorder.CreateSingleFileComponentRecorder(Path.Join(this.sourceDirectory.FullName, "file1"));
 
         var baseImageComponent = new DetectedComponent(new NpmComponent("base-pkg", "1.0.0"), containerDetailsId: 1, containerLayerId: 0);
         singleFileRecorder.RegisterUsage(baseImageComponent);
@@ -598,7 +598,7 @@ public void FilterBaseImageComponents_RemovesComponentsExclusivelyFromBaseImageL
     [TestMethod]
     public void FilterBaseImageComponents_RetainsComponentsWithMixedLayers()
     {
-        var singleFileRecorder = this.componentRecorder.CreateSingleFileComponentRecorder(Path.Join(this.sourceDirectory.FullName, "/file1"));
+        var singleFileRecorder = this.componentRecorder.CreateSingleFileComponentRecorder(Path.Join(this.sourceDirectory.FullName, "file1"));
 
         var mixedComponent = new DetectedComponent(new NpmComponent("mixed-pkg", "1.0.0"), containerDetailsId: 1, containerLayerId: 0);
         mixedComponent.ContainerLayerIds[1] = [0, 1];
@@ -630,7 +630,7 @@ public void FilterBaseImageComponents_RetainsComponentsWithMixedLayers()
     [TestMethod]
     public void FilterBaseImageComponents_RetainsComponentsWithNoContainerReferences()
     {
-        var singleFileRecorder = this.componentRecorder.CreateSingleFileComponentRecorder(Path.Join(this.sourceDirectory.FullName, "/file1"));
+        var singleFileRecorder = this.componentRecorder.CreateSingleFileComponentRecorder(Path.Join(this.sourceDirectory.FullName, "file1"));
 
         var filesystemComponent = new DetectedComponent(new NpmComponent("fs-pkg", "2.0.0"));
         singleFileRecorder.RegisterUsage(filesystemComponent);
@@ -661,7 +661,7 @@ public void FilterBaseImageComponents_RetainsComponentsWithNoContainerReferences
     [TestMethod]
     public void FilterBaseImageComponents_NoOpWhenFlagIsDisabled()
     {
-        var singleFileRecorder = this.componentRecorder.CreateSingleFileComponentRecorder(Path.Join(this.sourceDirectory.FullName, "/file1"));
+        var singleFileRecorder = this.componentRecorder.CreateSingleFileComponentRecorder(Path.Join(this.sourceDirectory.FullName, "file1"));
 
         var baseImageComponent = new DetectedComponent(new NpmComponent("base-pkg", "1.0.0"), containerDetailsId: 1, containerLayerId: 0);
         singleFileRecorder.RegisterUsage(baseImageComponent);
@@ -688,4 +688,94 @@ public void FilterBaseImageComponents_NoOpWhenFlagIsDisabled()
         result.ComponentsFound.Should().HaveCount(1);
         ((NpmComponent)result.ComponentsFound.Single().Component).Name.Should().Be("base-pkg");
     }
+
+    [TestMethod]
+    public void FilterBaseImageComponents_PrunesFilteredComponentsFromDependencyGraphs()
+    {
+        var filePath = Path.Join(this.sourceDirectory.FullName, "file1");
+        var singleFileRecorder = this.componentRecorder.CreateSingleFileComponentRecorder(filePath);
+
+        // Register a retained (non-base-image) component and a base-image component with a dependency edge.
+        var retainedComponent = new DetectedComponent(new NpmComponent("app-pkg", "1.0.0"), containerDetailsId: 1, containerLayerId: 1);
+        var baseImageComponent = new DetectedComponent(new NpmComponent("base-pkg", "2.0.0"), containerDetailsId: 1, containerLayerId: 0);
+
+        singleFileRecorder.RegisterUsage(retainedComponent, isExplicitReferencedDependency: true);
+        singleFileRecorder.RegisterUsage(baseImageComponent, parentComponentId: retainedComponent.Component.Id);
+
+        var containerDetailsMap = new Dictionary<int, ContainerDetails>
+        {
+            [1] = new ContainerDetails
+            {
+                Id = 1,
+                Layers = [new DockerLayer { LayerIndex = 0, IsBaseImage = true }, new DockerLayer { LayerIndex = 1, IsBaseImage = false }],
+            },
+        };
+
+        var processingResult = new DetectorProcessingResult
+        {
+            ResultCode = ProcessingResultCode.Success,
+            ContainersDetailsMap = containerDetailsMap,
+            ComponentRecorders = [(this.componentDetectorMock.Object, this.componentRecorder)],
+        };
+
+        var result = (DefaultGraphScanResult)this.serviceUnderTest.GenerateScanResultFromProcessingResult(
+            processingResult, new ScanSettings { SourceDirectory = this.sourceDirectory, FilterBaseImageComponents = true });
+
+        // Only the non-base-image component should remain.
+        result.ComponentsFound.Should().HaveCount(1);
+        ((NpmComponent)result.ComponentsFound.Single().Component).Name.Should().Be("app-pkg");
+
+        // The dependency graph should not reference the filtered component.
+        var graphEntry = result.DependencyGraphs.Should().ContainSingle().Which;
+        var graph = graphEntry.Value.Graph;
+        graph.Should().ContainKey(retainedComponent.Component.Id);
+        graph.Should().NotContainKey(baseImageComponent.Component.Id);
+
+        // The retained component's edge set should not reference the removed component.
+        var retainedEdges = graph[retainedComponent.Component.Id];
+        retainedEdges?.Should().NotContain(baseImageComponent.Component.Id);
+
+        // Metadata sets should also be cleaned.
+        graphEntry.Value.ExplicitlyReferencedComponentIds.Should().NotContain(baseImageComponent.Component.Id);
+    }
+
+    [TestMethod]
+    public void FilterBaseImageComponents_DependencyGraphsUnchangedWhenFlagDisabled()
+    {
+        var filePath = Path.Join(this.sourceDirectory.FullName, "file1");
+        var singleFileRecorder = this.componentRecorder.CreateSingleFileComponentRecorder(filePath);
+
+        var retainedComponent = new DetectedComponent(new NpmComponent("app-pkg", "1.0.0"), containerDetailsId: 1, containerLayerId: 1);
+        var baseImageComponent = new DetectedComponent(new NpmComponent("base-pkg", "2.0.0"), containerDetailsId: 1, containerLayerId: 0);
+
+        singleFileRecorder.RegisterUsage(retainedComponent, isExplicitReferencedDependency: true);
+        singleFileRecorder.RegisterUsage(baseImageComponent, parentComponentId: retainedComponent.Component.Id);
+
+        var containerDetailsMap = new Dictionary<int, ContainerDetails>
+        {
+            [1] = new ContainerDetails
+            {
+                Id = 1,
+                Layers = [new DockerLayer { LayerIndex = 0, IsBaseImage = true }, new DockerLayer { LayerIndex = 1, IsBaseImage = false }],
+            },
+        };
+
+        var processingResult = new DetectorProcessingResult
+        {
+            ResultCode = ProcessingResultCode.Success,
+            ContainersDetailsMap = containerDetailsMap,
+            ComponentRecorders = [(this.componentDetectorMock.Object, this.componentRecorder)],
+        };
+
+        var result = (DefaultGraphScanResult)this.serviceUnderTest.GenerateScanResultFromProcessingResult(
+            processingResult, new ScanSettings { SourceDirectory = this.sourceDirectory, FilterBaseImageComponents = false });
+
+        // Both components should be present.
+        result.ComponentsFound.Should().HaveCount(2);
+
+        // The dependency graph should still contain both component IDs.
+        var graph = result.DependencyGraphs.Single().Value.Graph;
+        graph.Should().ContainKey(retainedComponent.Component.Id);
+        graph.Should().ContainKey(baseImageComponent.Component.Id);
+    }
 }
