Skip to content

Include only directly referenced packages #1237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pragnya17 wants to merge 13 commits into
base: main
Choose a base branch
from
Open

Include only directly referenced packages #1237

pragnya17 wants to merge 13 commits into from

Conversation

@pragnya17
Copy link
Contributor

@pragnya17 pragnya17 commented Sep 26, 2025
edited
Loading

Compliance requirements have led us to simplify the package dependency tree that is reported in SBOMs. There were issues in the original implementation of how transitive package dependencies were being represented in SBOMs, therefore we are making the default behavior to just include directly referenced packages. This means that the packages and relationships sections of SBOMs will be impacted, and will now only represent explicitly referenced packages.

In summary the goals are:

  1. Only include explicitly referenced packages in the packages array (this is achieved by ProcessDependencyGraphs).
  2. Only include direct dependencies in the relationships list (this is achieved by the changes to the DependsOn property).

@pragnya17 pragnya17 requested a review from a team as a code owner September 26, 2025 17:41
@github-actions
Copy link

github-actions bot commented Sep 26, 2025

This PR changes files in the API project. Does it change any of the API interfaces in any way? Please note that this includes the following types of changes:

  • Changing the signature of an existing interface method
  • Adding a new method to an existing interface
  • Adding a required data member to a class that an existing interface method consumes

Because any of these changes can potentially break a downstream consumer with customized interface implementations, these changes need to be treated as breaking changes. Please do one of the following:

Option 1 - Publish this as a breaking change

  1. Update the documentation to show the new functionality
  2. Bump the major version in the next release
  3. Be sure to highlight the breaking changes in the release notes

Option 2 - Refactor the changes to be non-breaking

  1. Review this commit, which adds a new interface in a backward-compatible way
  2. Refactor the change to follow this pattern so that existing interfaces are left completely intact
  3. Bump the minor version in the next release

1 similar comment
@github-actions
Copy link

github-actions bot commented Sep 26, 2025

This PR changes files in the API project. Does it change any of the API interfaces in any way? Please note that this includes the following types of changes:

  • Changing the signature of an existing interface method
  • Adding a new method to an existing interface
  • Adding a required data member to a class that an existing interface method consumes

Because any of these changes can potentially break a downstream consumer with customized interface implementations, these changes need to be treated as breaking changes. Please do one of the following:

Option 1 - Publish this as a breaking change

  1. Update the documentation to show the new functionality
  2. Bump the major version in the next release
  3. Be sure to highlight the breaking changes in the release notes

Option 2 - Refactor the changes to be non-breaking

  1. Review this commit, which adds a new interface in a backward-compatible way
  2. Refactor the change to follow this pattern so that existing interfaces are left completely intact
  3. Bump the minor version in the next release

@pragnya17
Copy link
Contributor Author

pragnya17 commented Sep 26, 2025

/azp run

1 similar comment
@pragnya17
Copy link
Contributor Author

pragnya17 commented Sep 26, 2025

/azp run

sfoslund
sfoslund reviewed Sep 26, 2025
View reviewed changes
KalleOlaviNiemitalo
KalleOlaviNiemitalo reviewed Sep 26, 2025
View reviewed changes
Copy link

@KalleOlaviNiemitalo KalleOlaviNiemitalo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we are making the default behavior to just include directly referenced packages

That being the "default" behavior, is there a way to choose a different behavior?

src/Microsoft.Sbom.Api/Executors/ComponentDetectionBaseWalker.cs Outdated
Comment on lines 116 to 118
var scanResult = await componentDetector.ScanAsync(scanSettings) as DefaultGraphScanResult;

if (scanResult.ResultCode != ProcessingResultCode.Success)
Copy link

@KalleOlaviNiemitalo KalleOlaviNiemitalo Sep 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because this does bot tolerate scanResult being null, you should just cast rather than use as; so that if the type does not match, you get an InvalidCastException that shows which type it is, rather than NullReferenceException.

Copy link
Contributor Author

@pragnya17 pragnya17 Sep 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added a null check, so this should no longer be an issue

alisonlomaka
alisonlomaka reviewed Sep 26, 2025
View reviewed changes
src/Microsoft.Sbom.Api/Executors/ComponentDetectionBaseWalker.cs Outdated
}

uniqueComponents = uniqueComponents
.Where(component => explicitComponentIds.Contains(component.Component.Id));
Copy link
Member

@alisonlomaka alisonlomaka Sep 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure how this will behave if the uniqueComponents are SbomComponents. Perhaps this logic should move inside PackagesWalker.FilterScannedComponents?

Copy link
Contributor Author

@pragnya17 pragnya17 Sep 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since FilterScannedComponents is an abstract method, I'd have to duplicate the logic amongst PackagesWalker and SbomComponentsWalker, so I chose to add the code here instead, to avoid repetition. I did refactor into a separate method which is called after the FilterScannedComponents though, so now we are getting explicit components after filtering for SpdxComponents.

@pragnya17
Copy link
Contributor Author

pragnya17 commented Sep 30, 2025

/azp run

@microsoft microsoft deleted a comment from github-actions bot Sep 30, 2025
@microsoft microsoft deleted a comment from github-actions bot Sep 30, 2025
@microsoft microsoft deleted a comment from github-actions bot Sep 30, 2025
@microsoft microsoft deleted a comment from github-actions bot Sep 30, 2025
@microsoft microsoft deleted a comment from github-actions bot Sep 30, 2025
@pragnya17
Copy link
Contributor Author

pragnya17 commented Sep 30, 2025

/azp run

@github-actions
Copy link

github-actions bot commented Sep 30, 2025

This PR changes files in the API project. Does it change any of the API interfaces in any way? Please note that this includes the following types of changes:

  • Changing the signature of an existing interface method
  • Adding a new method to an existing interface
  • Adding a required data member to a class that an existing interface method consumes

Because any of these changes can potentially break a downstream consumer with customized interface implementations, these changes need to be treated as breaking changes. Please do one of the following:

Option 1 - Publish this as a breaking change

  1. Update the documentation to show the new functionality
  2. Bump the major version in the next release
  3. Be sure to highlight the breaking changes in the release notes

Option 2 - Refactor the changes to be non-breaking

  1. Review this commit, which adds a new interface in a backward-compatible way
  2. Refactor the change to follow this pattern so that existing interfaces are left completely intact
  3. Bump the minor version in the next release

@github-actions
Copy link

github-actions bot commented Sep 30, 2025

This PR changes files in the API project. Does it change any of the API interfaces in any way? Please note that this includes the following types of changes:

  • Changing the signature of an existing interface method
  • Adding a new method to an existing interface
  • Adding a required data member to a class that an existing interface method consumes

Because any of these changes can potentially break a downstream consumer with customized interface implementations, these changes need to be treated as breaking changes. Please do one of the following:

Option 1 - Publish this as a breaking change

  1. Update the documentation to show the new functionality
  2. Bump the major version in the next release
  3. Be sure to highlight the breaking changes in the release notes

Option 2 - Refactor the changes to be non-breaking

  1. Review this commit, which adds a new interface in a backward-compatible way
  2. Refactor the change to follow this pattern so that existing interfaces are left completely intact
  3. Bump the minor version in the next release

@github-actions
Copy link

github-actions bot commented Sep 30, 2025

This PR changes files in the API project. Does it change any of the API interfaces in any way? Please note that this includes the following types of changes:

  • Changing the signature of an existing interface method
  • Adding a new method to an existing interface
  • Adding a required data member to a class that an existing interface method consumes

Because any of these changes can potentially break a downstream consumer with customized interface implementations, these changes need to be treated as breaking changes. Please do one of the following:

Option 1 - Publish this as a breaking change

  1. Update the documentation to show the new functionality
  2. Bump the major version in the next release
  3. Be sure to highlight the breaking changes in the release notes

Option 2 - Refactor the changes to be non-breaking

  1. Review this commit, which adds a new interface in a backward-compatible way
  2. Refactor the change to follow this pattern so that existing interfaces are left completely intact
  3. Bump the minor version in the next release

@github-actions
Copy link

github-actions bot commented Sep 30, 2025

This PR changes files in the API project. Does it change any of the API interfaces in any way? Please note that this includes the following types of changes:

  • Changing the signature of an existing interface method
  • Adding a new method to an existing interface
  • Adding a required data member to a class that an existing interface method consumes

Because any of these changes can potentially break a downstream consumer with customized interface implementations, these changes need to be treated as breaking changes. Please do one of the following:

Option 1 - Publish this as a breaking change

  1. Update the documentation to show the new functionality
  2. Bump the major version in the next release
  3. Be sure to highlight the breaking changes in the release notes

Option 2 - Refactor the changes to be non-breaking

  1. Review this commit, which adds a new interface in a backward-compatible way
  2. Refactor the change to follow this pattern so that existing interfaces are left completely intact
  3. Bump the minor version in the next release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alisonlomaka alisonlomaka alisonlomaka left review comments

@sfoslund sfoslund sfoslund approved these changes

+1 more reviewer

@KalleOlaviNiemitalo KalleOlaviNiemitalo KalleOlaviNiemitalo left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@pragnya17 @sfoslund @KalleOlaviNiemitalo @alisonlomaka