SBOM.get_files sometimes returns a dictionary rather than a list

[Malcolmnixon]

The SBOM.get_files() function is typed as returning a List: https://github.com/anthonyharrison/lib4sbom/blob/45c891cb64148f16f722fbc39b12b7f1fb253a57/lib4sbom/sbom.py#L64-L68

The SBOM.add_files() function takes a dictionary of files and stores the dictionary of files: https://github.com/anthonyharrison/lib4sbom/blob/45c891cb64148f16f722fbc39b12b7f1fb253a57/lib4sbom/sbom.py#L29-L30

The three scenarios that can occur are:

1. SBOM.get_files() is called when SBOM.add_files() has not been called
2. SBOM.get_files() is called when SBOM.add_files() has been called with an empty dictionary (no files)
3. SBOM.get_files() is called when SBOM.add_files() has been called with a dictionary containing 1 or more files

In case 1 the function returns a List because "files" is not in the dictionary, and so a default List is returned. In case 3 the function returns a List because the list-comprehension generates a new list. In case 2 the function returns a Dictionary because the dictionary is empty and so is returned unmodified.

This is resulting in a crash of in the https://github.com/anthonyharrison/sbommerge utility. Specifically if it's provided an SBOM with an empty file list, it gets a dictionary rather than a list, and its iteration throws due to getting an unexpected type.

[anthonyharrison]

@Malcolmnixon Thanks for finding this and providing a description of the different scenarios .

I have added an extra check in the add_files function to check for an empty file list.

There is also a corresponding issue with the add_packages function which I have also fixed.