Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge is not hierarchical #152

Closed
mmarseu opened this issue Apr 9, 2024 · 1 comment · Fixed by #338
Closed

Merge is not hierarchical #152

mmarseu opened this issue Apr 9, 2024 · 1 comment · Fixed by #338
Assignees
@CBeck-96
Labels
enhancement New feature or request
Milestone
1.0.0

Comments

@mmarseu
Copy link
Collaborator

mmarseu commented Apr 9, 2024

When writing the integration tests, I noticed a surprising behavior of the merge command. I'm not sure whether that's a bug or by design.

When merging two SBOMs, where the first SBOM contains the meta-component of the second SBOM as one of its sub-components, the components of the second SBOM are added to the first at the top level. They are not grouped under the sub-component.

For reference, the official CycloneDX CLI tool has the same behavior but it provides a command-line switch named --hierarchical to change that.

SBOM 1

flowchart 
  main_component --> sub_component_1
  main_component --> sub_component_2
Loading

SBOM 2

flowchart
  sub_component_1 --> dependency_1
  sub_component_1 --> dependency_2
Loading

Actual result

flowchart
  main_component --> sub_component_1
  main_component --> sub_component_2
  main_component --> dependency_1
  main_component --> dependency_2
Loading

Expected result

flowchart
  main_component --> sub_component_1
  main_component --> sub_component_2
  sub_component_1--> dependency_1
  sub_component_1--> dependency_2
Loading
@italvi
Copy link
Collaborator

italvi commented Apr 15, 2024

This was a design decision as the expected result does not reflect the dependency tree. According to the specification the components within a component is not for dependencies but for subsystems within systems.

But your point remains, as some tools include this components within components, so having a flag hierarchical could be a good compromise we can agree on, your opinion @CBeck-96?

@italvi italvi added the enhancement New feature or request label Apr 23, 2024
@italvi italvi mentioned this issue May 6, 2024
Closed
@italvi italvi added this to the 1.0.0 milestone Jul 3, 2024
@CBeck-96 CBeck-96 linked a pull request Dec 15, 2024 that will close this issue
feat: add hierarchical option to merge command #338
Merged
@CBeck-96 CBeck-96 mentioned this issue Dec 15, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@CBeck-96 CBeck-96

Labels
enhancement New feature or request
Projects
None yet
Milestone
1.0.0
Development

Successfully merging a pull request may close this issue.

feat: add hierarchical option to merge command Festo-se/cyclonedx-editor-validator
3 participants
@mmarseu @italvi @CBeck-96