feat(cyclonedx): Add the dependency graph

While CycloneDX's `Dependency` data structure would allow for a nested graph approach, [1] says that "Graphs with one node of depth are recommended", so each `Dependency` entry only lists its own respective direct dependencies. Resolves #3906. [1]: https://cyclonedx.org/use-cases/#dependency-graph Signed-off-by: Sebastian Schuberth <[email protected]>
oss-review-toolkit · Dec 9, 2024 · 5f2bcd1 · 5f2bcd1
1 parent c87ddc1
commit 5f2bcd1
Show file tree

Hide file tree

Showing 5 changed files with 55 additions and 0 deletions.
diff --git a/...orters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result-with-findings.json b/...orters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result-with-findings.json
@@ -263,5 +263,17 @@
       "url": "pkg:npm/%40ort/[email protected]",
       "comment": "Package-URL of the project"
     }
+  ],
+  "dependencies": [
+    {
+      "ref": "NPM:@ort:project-with-findings:1.0",
+      "dependsOn": [
+        "NPM:@ort:no-license-file:1.0",
+        "NPM:@ort:license-file:1.0",
+        "NPM:@ort:license-file-and-additional-licenses:1.0",
+        "NPM:@ort:concluded-license:1.0",
+        "NPM:@ort:declared-license:1.0"
+      ]
+    }
   ]
 }
diff --git a/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.json b/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.json
@@ -245,6 +245,18 @@
       "comment": "URL to the Git repository of the projects"
     }
   ],
+  "dependencies": [
+    {
+      "ref": "https://github.com/oss-review-toolkit/ort.git@main",
+      "dependsOn": [
+        "NPM:@ort:no-license-file:1.0",
+        "NPM:@ort:license-file:1.0",
+        "NPM:@ort:license-file-and-additional-licenses:1.0",
+        "NPM:@ort:concluded-license:1.0",
+        "NPM:@ort:declared-license:1.0"
+      ]
+    }
+  ],
   "vulnerabilities": [
     {
       "id": "CVE-2021-1234",

diff --git a/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.xml b/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.xml
@@ -361,6 +361,15 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
       <comment>URL to the Git repository of the projects</comment>
     </reference>
   </externalReferences>
+  <dependencies>
+    <dependency ref="https://github.com/oss-review-toolkit/ort.git@main">
+      <dependency ref="NPM:@ort:no-license-file:1.0"/>
+      <dependency ref="NPM:@ort:license-file:1.0"/>
+      <dependency ref="NPM:@ort:license-file-and-additional-licenses:1.0"/>
+      <dependency ref="NPM:@ort:concluded-license:1.0"/>
+      <dependency ref="NPM:@ort:declared-license:1.0"/>
+    </dependency>
+  </dependencies>
   <vulnerabilities>
     <vulnerability>
       <id>CVE-2021-1234</id>

diff --git a/plugins/reporters/cyclonedx/src/main/kotlin/BomExtensions.kt b/plugins/reporters/cyclonedx/src/main/kotlin/BomExtensions.kt
@@ -33,6 +33,7 @@ import org.cyclonedx.Version
 import org.cyclonedx.generators.BomGeneratorFactory
 import org.cyclonedx.model.Bom
 import org.cyclonedx.model.Component
+import org.cyclonedx.model.Dependency
 import org.cyclonedx.model.ExtensibleType
 import org.cyclonedx.model.ExternalReference
 import org.cyclonedx.model.LicenseChoice
@@ -48,6 +49,23 @@ import org.ossreviewtoolkit.model.vulnerabilities.Vulnerability
 import org.ossreviewtoolkit.reporter.ReporterInput
 import org.ossreviewtoolkit.utils.ort.ORT_NAME
 
+/**
+ * Enrich this [Bom] with information about the hierarchy of dependencies, starting with the [parentRef] and its direct
+ * dependencies given as ORT [ids].
+ */
+internal fun Bom.addDependencies(input: ReporterInput, parentRef: String, ids: Set<Identifier>) {
+    val dependency = Dependency(parentRef).apply {
+        dependencies = ids.map { id -> Dependency(id.toCoordinates()) }
+    }
+
+    if (dependency.dependencies.isNotEmpty()) addDependency(dependency)
+
+    ids.forEach { id ->
+        val directDependencies = input.ortResult.getDependencies(id, maxLevel = 1, omitExcluded = true)
+        addDependencies(input, id.toCoordinates(), directDependencies)
+    }
+}
+
 /**
  * Add a [ExternalReference] of the given [type] to this [Bom] which points to [url] and has an optional [comment].
  */

diff --git a/plugins/reporters/cyclonedx/src/main/kotlin/CycloneDxReporter.kt b/plugins/reporters/cyclonedx/src/main/kotlin/CycloneDxReporter.kt
@@ -193,6 +193,8 @@ class CycloneDxReporter(
                 bom.addComponent(input, pkg, dependencyType)
             }
 
+            bom.addDependencies(input, bom.metadata.component.bomRef, allDirectDependencies)
+
             bom.addVulnerabilities(input.ortResult.getVulnerabilities())
 
             reportFileResults += bom.writeFormats(schemaVersion, outputDir, REPORT_BASE_FILENAME, outputFileExtensions)
@@ -253,6 +255,8 @@ class CycloneDxReporter(
                     bom.addComponent(input, pkg, dependencyType)
                 }
 
+                bom.addDependencies(input, bom.metadata.component.bomRef, directDependencies)
+
                 bom.addVulnerabilities(input.ortResult.getVulnerabilities())
 
                 val reportName = "$REPORT_BASE_FILENAME-${project.id.toPath("-")}"