Include dependency tree data about nuget and maven packages (#746)

microsoft · Oct 12, 2024 · e0df463 · e0df463
1 parent 2a6d71e
commit e0df463
Show file tree

Hide file tree

Showing 12 changed files with 51 additions and 13 deletions.
diff --git a/src/Microsoft.Sbom.Adapters/Adapters/ComponentDetection/ExtendedScannedComponent.cs b/src/Microsoft.Sbom.Adapters/Adapters/ComponentDetection/ExtendedScannedComponent.cs
@@ -32,6 +32,7 @@ public ExtendedScannedComponent(ScannedComponent? other = null)
         this.DetectorId = other.DetectorId;
         this.IsDevelopmentDependency = other.IsDevelopmentDependency;
         this.TopLevelReferrers = other.TopLevelReferrers;
+        this.AncestralReferrers = other.AncestralReferrers;
     }
 
     /// <summary>

diff --git a/src/Microsoft.Sbom.Adapters/Adapters/ComponentDetection/MavenComponentExtensions.cs b/src/Microsoft.Sbom.Adapters/Adapters/ComponentDetection/MavenComponentExtensions.cs
@@ -3,6 +3,7 @@
 
 namespace Microsoft.Sbom.Adapters.ComponentDetection;
 
+using System.Linq;
 using Microsoft.ComponentDetection.Contracts.TypedComponent;
 using Microsoft.Sbom.Contracts;
 
@@ -30,5 +31,6 @@ internal static class MavenComponentExtensions
             Declared = component.LicenseDeclared,
         },
         Type = "maven",
+        DependOn = component.AncestralReferrers?.FirstOrDefault()?.Id,
     };
 }
diff --git a/src/Microsoft.Sbom.Adapters/Adapters/ComponentDetection/NuGetComponentExtensions.cs b/src/Microsoft.Sbom.Adapters/Adapters/ComponentDetection/NuGetComponentExtensions.cs
@@ -32,5 +32,6 @@ internal static class NuGetComponentExtensions
         },
         FilesAnalyzed = false,
         Type = "nuget",
+        DependOn = component.AncestralReferrers?.FirstOrDefault()?.Id,
     };
 }
diff --git a/src/Microsoft.Sbom.Api/Executors/PackageInfoJsonWriter.cs b/src/Microsoft.Sbom.Api/Executors/PackageInfoJsonWriter.cs
@@ -66,7 +66,7 @@ private async Task GenerateJson(
             {
                 var generationResult =
                     manifestGeneratorProvider.Get(sbomConfig.ManifestInfo).GenerateJsonDocument(packageInfo);
-                sbomConfig.Recorder.RecordPackageId(generationResult?.ResultMetadata?.EntityId);
+                sbomConfig.Recorder.RecordPackageId(generationResult?.ResultMetadata?.EntityId, generationResult?.ResultMetadata?.DependOn);
                 await result.Writer.WriteAsync((generationResult?.Document, sbomConfig.JsonSerializer));
             }
         }

diff --git a/src/Microsoft.Sbom.Api/Recorder/SBOMPackageDetailsRecorder.cs b/src/Microsoft.Sbom.Api/Recorder/SBOMPackageDetailsRecorder.cs
@@ -21,7 +21,7 @@ public class SbomPackageDetailsRecorder : ISbomPackageDetailsRecorder
     private string documentId;
     private readonly ConcurrentBag<string> fileIds = new ConcurrentBag<string>();
     private readonly ConcurrentBag<string> spdxFileIds = new ConcurrentBag<string>();
-    private readonly ConcurrentBag<string> packageIds = new ConcurrentBag<string>();
+    private readonly ConcurrentBag<KeyValuePair<string, string>> packageDependOnIdPairs = new ConcurrentBag<KeyValuePair<string, string>>();
     private readonly ConcurrentBag<KeyValuePair<string, string>> externalDocumentRefIdRootElementPairs = new ConcurrentBag<KeyValuePair<string, string>>();
     private readonly ConcurrentBag<Checksum[]> checksums = new ConcurrentBag<Checksum[]>();
 
@@ -50,17 +50,18 @@ public void RecordSPDXFileId(string spdxFileId)
     }
 
     /// <summary>
-    /// Record a packageId that is included in this SBOM.
+    /// Record a packageId and dependon package that is included in this SBOM.
     /// </summary>
     /// <param name="packageId"></param>
-    public void RecordPackageId(string packageId)
+    /// <param name="dependOn"></param>
+    public void RecordPackageId(string packageId, string dependOn)
     {
         if (string.IsNullOrEmpty(packageId))
         {
             throw new ArgumentException($"'{nameof(packageId)}' cannot be null or empty.", nameof(packageId));
         }
 
-        packageIds.Add(packageId);
+        packageDependOnIdPairs.Add(new KeyValuePair<string, string>(packageId, dependOn));
     }
 
     /// <summary>
@@ -84,7 +85,7 @@ public GenerationData GetGenerationData()
             Checksums = checksums.ToList(),
             FileIds = fileIds.ToList(),
             SPDXFileIds = spdxFileIds.ToList(),
-            PackageIds = packageIds.ToList(),
+            PackageIds = packageDependOnIdPairs.ToList(),
             ExternalDocumentReferenceIDs = externalDocumentRefIdRootElementPairs.ToList(),
             RootPackageId = rootPackageId,
             DocumentId = documentId

diff --git a/src/Microsoft.Sbom.Api/Workflows/Helpers/RelationshipsArrayGenerator.cs b/src/Microsoft.Sbom.Api/Workflows/Helpers/RelationshipsArrayGenerator.cs
@@ -67,8 +67,7 @@ public async Task<IList<FileValidationResult>> GenerateAsync()
                         generator.Run(
                             GetRelationships(
                                 RelationshipType.DEPENDS_ON,
-                                generationData.RootPackageId,
-                                generationData.PackageIds),
+                                generationData),
                             sbomConfig.ManifestInfo),
 
                         // Root package relationship
@@ -116,6 +115,22 @@ public async Task<IList<FileValidationResult>> GenerateAsync()
         }
     }
 
+    private IEnumerator<Relationship> GetRelationships(RelationshipType relationshipType, GenerationData generationData)
+    {
+        foreach (var targetElementId in generationData.PackageIds)
+        {
+            if (targetElementId.Key != null || generationData.RootPackageId != null)
+            {
+                yield return new Relationship
+                {
+                    RelationshipType = relationshipType,
+                    TargetElementId = targetElementId.Key,
+                    SourceElementId = targetElementId.Value ?? generationData.RootPackageId
+                };
+            }
+        }
+    }
+
     private IEnumerator<Relationship> GetRelationships(RelationshipType relationshipType, string sourceElementId, IEnumerable<string> targetElementIds)
     {
         foreach (var targetElementId in targetElementIds)

diff --git a/src/Microsoft.Sbom.Contracts/Contracts/SBOMPackage.cs b/src/Microsoft.Sbom.Contracts/Contracts/SBOMPackage.cs
@@ -66,4 +66,9 @@ public class SbomPackage
     /// Gets or sets type of the package (e.g npm, git, nuget).
     /// </summary>
     public string Type { get; set; }
+
+    /// <summary>
+    /// Get or set unique identifier (Id) of DependOn package
+    /// </summary>
+    public string DependOn { get; set; }
 }
diff --git a/src/Microsoft.Sbom.Extensions/Entities/GenerationData.cs b/src/Microsoft.Sbom.Extensions/Entities/GenerationData.cs
@@ -32,7 +32,7 @@ public class GenerationData // TODO: Move to contracts
     /// Gets or sets a list of all the unique ids that were generated for each package that was
     /// traversed for this SBOM.
     /// </summary>
-    public IList<string> PackageIds { get; set; }
+    public IList<KeyValuePair<string, string>> PackageIds { get; set; }
 
     /// <summary>
     /// Gets or sets a list of pairs of ExternalDocumentReference IDs and described element IDs that are referenced in the SBOM.

diff --git a/src/Microsoft.Sbom.Extensions/Entities/ResultMetadata.cs b/src/Microsoft.Sbom.Extensions/Entities/ResultMetadata.cs
@@ -18,4 +18,9 @@ public class ResultMetadata
     /// Gets or sets the generated id of the current SBOM document.
     /// </summary>
     public string DocumentId { get; set; }
+
+    /// <summary>
+    /// get or set unique identifier (Id) of DependOn package
+    /// </summary>
+    public string DependOn { get; set; }
 }
diff --git a/src/Microsoft.Sbom.Extensions/ISbomPackageDetailsRecorder.cs b/src/Microsoft.Sbom.Extensions/ISbomPackageDetailsRecorder.cs
@@ -23,10 +23,11 @@ public interface ISbomPackageDetailsRecorder
     void RecordSPDXFileId(string spdxFileId);
 
     /// <summary>
-    /// Record a packageId that is included in this SBOM.
+    /// Record a packageId and dependon package that is included in this SBOM.
     /// </summary>
     /// <param name="packageId"></param>
-    void RecordPackageId(string packageId);
+    /// <param name="dependOn"></param>
+    void RecordPackageId(string packageId, string dependOn);
 
     /// <summary>
     /// Record a externalDocumentReference Id that is included in this SBOM.

diff --git a/src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Generator.cs b/src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Generator.cs
@@ -167,12 +167,19 @@ public GenerationResult GenerateJsonDocument(SbomPackage packageInfo)
         var packageId = spdxPackage.AddSpdxId(packageInfo);
         spdxPackage.AddPackageUrls(packageInfo);
 
+        var dependOnId = packageInfo.DependOn;
+        if (dependOnId is not null && dependOnId != Constants.RootPackageIdValue)
+        {
+            dependOnId = SPDXExtensions.GenerateSpdxPackageId(packageInfo.DependOn);
+        }
+
         return new GenerationResult
         {
             Document = JsonDocument.Parse(JsonSerializer.Serialize(spdxPackage)),
             ResultMetadata = new ResultMetadata
             {
-                EntityId = packageId
+                EntityId = packageId,
+                DependOn = dependOnId
             }
         };
     }

diff --git a/test/Microsoft.Sbom.Api.Tests/Workflows/Helpers/RelationshipsArrayGeneratorTest.cs b/test/Microsoft.Sbom.Api.Tests/Workflows/Helpers/RelationshipsArrayGeneratorTest.cs
@@ -150,7 +150,7 @@ public async Task When_PackageGenerationDataExist_DependOnRelationshipsAreGenera
     {
         recorder.RecordDocumentId(DocumentId);
         recorder.RecordRootPackageId(RootPackageId);
-        recorder.RecordPackageId(PackageId1);
+        recorder.RecordPackageId(PackageId1, RootPackageId);
         var results = await relationshipsArrayGenerator.GenerateAsync();
 
         Assert.AreEqual(0, results.Count);