[BUG] Multi constraint poetry dependency leads to error

[flozzone]

Describe the bug

Using multi-constraint poetry dependencies leads to an error.

To Reproduce

Steps to reproduce the behavior

poetry new test

Adapt the pyproject.toml to include a multi-constraint dependency:

[tool.poetry]
name = "test"
version = "0.1.0"
description = ""
authors = ["flozzone <[email protected]>"]
readme = "README.md"

[tool.poetry.dependencies]
python = "^3.10"
torch = [
  {url = "https://download.pytorch.org/whl/cpu/torch-2.1.2-cp310-none-macosx_11_0_arm64.whl"},
]


[build-system]
requires = ["poetry-core"]
build-backend = "poetry.core.masonry.api"

Lock dependencies

poetry lock --no-update

This is how the poetry.lock file should look like after locking: poetry.lock.txt

And run cyclonedx-py on it

$ cyclonedx-py poetry .
CRITICAL | CDX > '<' not supported between instances of 'dict' and 'dict'

Expected behavior

Successfully parsed multi-constraint dependency

Screenshots or output-paste

Pasting verbose output of the same command.

cyclonedx-py poetry . -v
INFO     | CDX > Generating SBOM ...
INFO     | CDX.PoetryBB > add component for package 'torch'
INFO     | CDX.PoetryBB > add component for package 'filelock'
INFO     | CDX.PoetryBB > add component for package 'fsspec'
INFO     | CDX.PoetryBB > add component for package 'jinja2'
INFO     | CDX.PoetryBB > add component for package 'markupsafe'
INFO     | CDX.PoetryBB > add component for package 'networkx'
INFO     | CDX.PoetryBB > add component for package 'sympy'
INFO     | CDX.PoetryBB > add component for package 'mpmath'
INFO     | CDX.PoetryBB > add component for package 'typing-extensions'
INFO     | CDX.PoetryBB > add component for package 'torch'
CRITICAL | CDX > '<' not supported between instances of 'dict' and 'dict'

Environment

• cyclonedx-py version: 4.4.2
• Python version: 3.10.12
• OS: Ubuntu 23.10
• Poetry: 1.6.1

Additional context

Add any other context about the problem here.

Multi-constraint dependencies have been introduced by #660

[jkowalleck]

@flozzone to be able to reproduce your example, could you provide the according poetry lock file?

[flozzone]

@jkowalleck Sure, I've also added the lock file to the repro description on top: [poetry.lock.txt]. (https://github.com/CycloneDX/cyclonedx-python/files/15107162/poetry.lock.txt) Please remove the txt extension after downloading.

[jkowalleck]

tried to reproduce and fix via #728

but actually, I was unable to reproduce the issue, but generated valid SBOMs instead,
like this one: https://github.com/CycloneDX/cyclonedx-python/blob/9d2cfdb4e4c014bc619c7743d5089ea8882c1faf/tests/_data/infiles/poetry/regression-issue727/pyproject-proto.toml

[jkowalleck]

@flozzone was unable to reproduce,
and I do not see what all of this has to do with multi constraints - like the title implies.

could you elaborate on all of that?

[jkowalleck]

did additional testing and found, that all is good, when using cyclonedx-python-lib (7.3.0)

there appears to be a bug in cyclonedx-python-lib (7.3.1).
see CycloneDX/cyclonedx-python-lib#598

cling this issue here, as it is caused by something else downstream, not caused in this tool

[jkowalleck]

the cyclonedx-python-lib (7.3.1) got yanked,
a cyclonedx-python-lib (7.3.2) is available, which should fix the issue.

I still might drop a release that excludes this library version from being used...
(no need to change the version constraints, since the broken version was yanked.)