Skip to content

Commit

Permalink
feat(cyclonedx): Add the dependency graph
Browse files Browse the repository at this point in the history
While CycloneDX's `Dependency` data structure would allow for a nested
graph approach, [1] says that "Graphs with one node of depth are
recommended", so each `Dependency` entry only lists its own respective
direct dependencies.

Resolves #3906.

[1]: https://cyclonedx.org/use-cases/#dependency-graph

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
  • Loading branch information
sschuberth committed Dec 9, 2024
1 parent 5d2b5a6 commit 101f5e4
Show file tree
Hide file tree
Showing 5 changed files with 55 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -263,5 +263,17 @@
"url": "pkg:npm/%40ort/project-with-findings@1.0",
"comment": "Package-URL of the project"
}
],
"dependencies": [
{
"ref": "NPM:@ort:project-with-findings:1.0",
"dependsOn": [
"NPM:@ort:no-license-file:1.0",
"NPM:@ort:license-file:1.0",
"NPM:@ort:license-file-and-additional-licenses:1.0",
"NPM:@ort:concluded-license:1.0",
"NPM:@ort:declared-license:1.0"
]
}
]
}
Original file line number Diff line number Diff line change
Expand Up @@ -245,6 +245,18 @@
"comment": "URL to the Git repository of the projects"
}
],
"dependencies": [
{
"ref": "https://github.com/oss-review-toolkit/ort.git@main",
"dependsOn": [
"NPM:@ort:no-license-file:1.0",
"NPM:@ort:license-file:1.0",
"NPM:@ort:license-file-and-additional-licenses:1.0",
"NPM:@ort:concluded-license:1.0",
"NPM:@ort:declared-license:1.0"
]
}
],
"vulnerabilities": [
{
"id": "CVE-2021-1234",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -361,6 +361,15 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
<comment>URL to the Git repository of the projects</comment>
</reference>
</externalReferences>
<dependencies>
<dependency ref="https://github.com/oss-review-toolkit/ort.git@main">
<dependency ref="NPM:@ort:no-license-file:1.0"/>
<dependency ref="NPM:@ort:license-file:1.0"/>
<dependency ref="NPM:@ort:license-file-and-additional-licenses:1.0"/>
<dependency ref="NPM:@ort:concluded-license:1.0"/>
<dependency ref="NPM:@ort:declared-license:1.0"/>
</dependency>
</dependencies>
<vulnerabilities>
<vulnerability>
<id>CVE-2021-1234</id>
Expand Down
18 changes: 18 additions & 0 deletions plugins/reporters/cyclonedx/src/main/kotlin/BomExtensions.kt
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ import org.cyclonedx.Version
import org.cyclonedx.generators.BomGeneratorFactory
import org.cyclonedx.model.Bom
import org.cyclonedx.model.Component
import org.cyclonedx.model.Dependency
import org.cyclonedx.model.ExtensibleType
import org.cyclonedx.model.ExternalReference
import org.cyclonedx.model.LicenseChoice
Expand All @@ -48,6 +49,23 @@ import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
import org.ossreviewtoolkit.reporter.ReporterInput
import org.ossreviewtoolkit.utils.ort.ORT_NAME

/**
* Enrich this [Bom] with information about the hierarchy of dependencies, starting with the [parentRef] and its direct
* dependencies given as ORT [ids].
*/
internal fun Bom.addDependencies(input: ReporterInput, parentRef: String, ids: Set<Identifier>) {
val dependency = Dependency(parentRef).apply {
dependencies = ids.map { id -> Dependency(id.toCoordinates()) }
}

if (dependency.dependencies.isNotEmpty()) addDependency(dependency)

ids.forEach { id ->
val directDependencies = input.ortResult.getDependencies(id, maxLevel = 1, omitExcluded = true)
addDependencies(input, id.toCoordinates(), directDependencies)
}
}

/**
* Add a [ExternalReference] of the given [type] to this [Bom] which points to [url] and has an optional [comment].
*/
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -193,6 +193,8 @@ class CycloneDxReporter(
bom.addComponent(input, pkg, dependencyType)
}

bom.addDependencies(input, bom.metadata.component.bomRef, allDirectDependencies)

bom.addVulnerabilities(input.ortResult.getVulnerabilities())

reportFileResults += bom.writeFormats(schemaVersion, outputDir, REPORT_BASE_FILENAME, outputFileExtensions)
Expand Down Expand Up @@ -253,6 +255,8 @@ class CycloneDxReporter(
bom.addComponent(input, pkg, dependencyType)
}

bom.addDependencies(input, bom.metadata.component.bomRef, directDependencies)

bom.addVulnerabilities(input.ortResult.getVulnerabilities())

val reportName = "$REPORT_BASE_FILENAME-${project.id.toPath("-")}"
Expand Down

0 comments on commit 101f5e4

Please sign in to comment.