Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat!: make bom-ref part of equality checks #753

Open
jkowalleck opened this issue Jan 17, 2025 · 3 comments · May be fixed by #678 or #754
Open

feat!: make bom-ref part of equality checks #753

jkowalleck opened this issue Jan 17, 2025 · 3 comments · May be fixed by #678 or #754
Assignees
@jkowalleck
Labels
breaking change enhancement New feature or request

Comments

@jkowalleck
Copy link
Member

jkowalleck commented Jan 17, 2025
edited
Loading

context

Currently, components that differ only in the property bom-ref are treated as equal.
This is for the reason, that bom-ref is actually just a decorative marker for interlinkage.

Anyway, there are external tools and processes that produce CycloneDX like this:

{
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "version": 1,
  "metadata": {
      "component": {
      "type": "application",
      "name": "example",
      "version": "1.2.3",
      "bom-ref": "topref"
    }
  },
  "components": [
    {
      "type": "library",
      "name": "styled-engine",
      "version": "5.16.6",
      "bom-ref": "@mui/styled-engine@npm:5.16.6 [296f2]"
    },
    {
      "type": "library",
      "name": "styled-engine",
      "version": "5.16.6",
      "bom-ref": "@mui/styled-engine@npm:5.16.6 [3135b]"
    }
  ],
  "dependencies": [
    {
      "ref": "topref",
      "dependsOn": [
        "@mui/styled-engine@npm:5.16.6 [296f2]",
        "@mui/styled-engine@npm:5.16.6 [3135b]"
      ]
    }
  ]
}

These are, schema-wise, valid CycloneDX.

the problem

when these things are imported by this library, the components get deduplicated (since they are equal) - which causes issues with the dependency tree - and alternates the structure when exporting.

solution

bom-ref MUST be taken into account for the following processes

  • equality and comparison (__eq__, __lt__, __gt__, ...)
  • hashing (__hash__)

❗ Since BomRef will become a central part of hashing and comparison, we need to revisit the respective dunder methods on BomRef.

related

closes #753
@jkowalleck jkowalleck added breaking change enhancement New feature or request labels Jan 17, 2025
@jkowalleck jkowalleck mentioned this issue Jan 17, 2025
Open
@jkowalleck
Copy link
Member Author

@madpah FYI

@jkowalleck jkowalleck self-assigned this Jan 17, 2025
@jkowalleck
Copy link
Member Author

jkowalleck commented Jan 17, 2025
edited
Loading

I will work on a fix, soon.

@jkowalleck jkowalleck pinned this issue Jan 17, 2025
This was referenced Jan 17, 2025
Draft
Draft
@hirsche
Copy link

hirsche commented Jan 30, 2025

I'd ask for this one as well.

I was debugging my code for ages, not getting why some of my "LIBRARY"-Components, I have been adding successfully, where lost after adding other components - well just because they where regarded as the same component and then got overwritten with another component having a different bom-ref but same name.

Of course usually you'd have more properties assigned making them distinguishable over the hash, however, when you start with some basic code and add an "assumed-to-be-a-reference" it is a bit confusion when components get lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jkowalleck jkowalleck

Labels
breaking change enhancement New feature or request
Projects
None yet
Milestone
No milestone
2 participants
@jkowalleck @hirsche