search

Festo-se / cyclonedx-editor-validator

Tool for creating, modifying and validating CycloneDX SBOMs.
https://festo-se.github.io/cyclonedx-editor-validator/
GNU General Public License v3.0
18 stars 4 forks source link

Merge is not hierarchical #152

Open mmarseu opened 5 months ago

mmarseu commented 5 months ago

When writing the integration tests, I noticed a surprising behavior of the merge command. I'm not sure whether that's a bug or by design.

When merging two SBOMs, where the first SBOM contains the meta-component of the second SBOM as one of its sub-components, the components of the second SBOM are added to the first at the top level. They are not grouped under the sub-component.

For reference, the official CycloneDX CLI tool has the same behavior but it provides a command-line switch named --hierarchical to change that.

SBOM 1

flowchart 
  main_component --> sub_component_1
  main_component --> sub_component_2

SBOM 2

flowchart
  sub_component_1 --> dependency_1
  sub_component_1 --> dependency_2

Actual result

flowchart
  main_component --> sub_component_1
  main_component --> sub_component_2
  main_component --> dependency_1
  main_component --> dependency_2

Expected result

flowchart
  main_component --> sub_component_1
  main_component --> sub_component_2
  sub_component_1--> dependency_1
  sub_component_1--> dependency_2
italvi commented 4 months ago

This was a design decision as the expected result does not reflect the dependency tree. According to the specification the components within a component is not for dependencies but for subsystems within systems.

But your point remains, as some tools include this components within components, so having a flag hierarchical could be a good compromise we can agree on, your opinion @CBeck-96?