microsoft · pragnya17 · Sep 26, 2025 · Sep 26, 2025 · Sep 26, 2025 · Sep 26, 2025
@@ -3,7 +3,6 @@
 
 namespace Microsoft.Sbom.Adapters.ComponentDetection;
 
-using System.Linq;
 using Microsoft.ComponentDetection.Contracts.TypedComponent;
 using Microsoft.Sbom.Contracts;
 
@@ -30,6 +29,6 @@ internal static class CargoComponentExtensions
         },
         FilesAnalyzed = false,
         Type = "cargo",
-        DependOn = component.AncestralReferrers?.Select(r => r.Id).ToList(),
+        DependOn = null
     };
 }
@@ -3,7 +3,6 @@
 
 namespace Microsoft.Sbom.Adapters.ComponentDetection;
 
-using System.Linq;
 using Microsoft.ComponentDetection.Contracts.TypedComponent;
 using Microsoft.Sbom.Contracts;
 
@@ -31,6 +30,6 @@ internal static class MavenComponentExtensions
             Declared = component.LicenseDeclared,
         },
         Type = "maven",
-        DependOn = component.AncestralReferrers?.Select(r => r.Id).ToList(),
+        DependOn = null
     };
 }
@@ -4,7 +4,6 @@
 namespace Microsoft.Sbom.Adapters.ComponentDetection;
 
 using System;
-using System.Linq;
 using Microsoft.ComponentDetection.Contracts.Internal;
 using Microsoft.ComponentDetection.Contracts.TypedComponent;
 using Microsoft.Sbom.Contracts;
@@ -40,7 +39,7 @@ internal static class NpmComponentExtensions
         },
         FilesAnalyzed = false,
         Type = "npm",
-        DependOn = component.AncestralReferrers?.Select(r => r.Id).ToList(),
+        DependOn = null
     };
 
     /// <summary>

@@ -32,6 +32,6 @@ internal static class NuGetComponentExtensions
         },
         FilesAnalyzed = false,
         Type = "nuget",
-        DependOn = component.AncestralReferrers?.Select(r => r.Id).ToList(),
+        DependOn = null
     };
 }
@@ -3,7 +3,6 @@
 
 namespace Microsoft.Sbom.Adapters.ComponentDetection;
 
-using System.Linq;
 using Microsoft.ComponentDetection.Contracts.TypedComponent;
 using Microsoft.Sbom.Contracts;
 
@@ -30,6 +29,6 @@ internal static class PipComponentExtensions
         },
         FilesAnalyzed = false,
         Type = "python",
-        DependOn = component.AncestralReferrers?.Select(r => r.Id).ToList(),
+        DependOn = null
     };
 }
@@ -3,7 +3,6 @@
 
 namespace Microsoft.Sbom.Adapters.ComponentDetection;
 
-using System.Linq;
 using Microsoft.ComponentDetection.Contracts.TypedComponent;
 using Microsoft.Sbom.Contracts;
 
@@ -31,6 +30,6 @@ internal static class PodComponentExtensions
         },
         FilesAnalyzed = false,
         Type = "pod",
-        DependOn = component.AncestralReferrers?.Select(r => r.Id).ToList(),
+        DependOn = null
     };
 }
@@ -3,7 +3,6 @@
 
 namespace Microsoft.Sbom.Adapters.ComponentDetection;
 
-using System.Linq;
 using Microsoft.ComponentDetection.Contracts.TypedComponent;
 using Microsoft.Sbom.Contracts;
 
@@ -33,6 +32,6 @@ internal static class RubyGemsComponentExtensions
         },
         FilesAnalyzed = false,
         Type = "ruby",
-        DependOn = component.AncestralReferrers?.Select(r => r.Id).ToList(),
+        DependOn = null
     };
 }
@@ -123,6 +123,8 @@ async Task Scan(string path)
 
             var uniqueComponents = FilterScannedComponents(scanResult);
 
+            uniqueComponents = ProcessDependencyGraphs(scanResult, uniqueComponents);
+
             if (configuration.EnablePackageMetadataParsing?.Value == true)
             {
                 if (uniqueComponents.Any())
@@ -217,4 +219,30 @@ async Task Scan(string path)
     }
 
     protected abstract IEnumerable<ScannedComponent> FilterScannedComponents(ScanResult result);
+
+    /// <summary>
+    /// Processes dependency graphs to filter components based on explicitly referenced component IDs.
+    /// </summary>
+    /// <param name="scanResult">The scan result from component detection.</param>
+    /// <param name="uniqueComponents">The collection of unique components to filter.</param>
+    /// <returns>Filtered collection of components that are explicitly referenced in dependency graphs.</returns>
+    private IEnumerable<ScannedComponent> ProcessDependencyGraphs(ScanResult scanResult, IEnumerable<ScannedComponent> uniqueComponents)
+    {
+        var defaultGraphScanResult = scanResult as DefaultGraphScanResult;
+        if (defaultGraphScanResult != null && defaultGraphScanResult.DependencyGraphs != null)
+        {
+            // Collect all explicitly referenced component IDs from all dependency graphs
+            var explicitComponentIds = new HashSet<string>();
+
+            foreach (var dependencyGraphPair in defaultGraphScanResult.DependencyGraphs)
+            {
+                var dependencyGraph = dependencyGraphPair.Value;
+                explicitComponentIds.UnionWith(dependencyGraph.ExplicitlyReferencedComponentIds);
+            }
+
+            return uniqueComponents.Where(component => explicitComponentIds.Contains(component.Component.Id));
+        }
+
+        return uniqueComponents;
+    }
 }
@@ -177,6 +177,27 @@ public void E2E_CompareSPDX22AndSPDX30Manifests_ComparisonAndDeterminismSucceeds
         Assert.AreEqual(SbomEqualityComparisonResult.Equal, areEqual, "The SPDX 2.2 and SPDX 3.0 manifests should be equivalent.");
     }
 
+    [TestMethod]
+    public void E2E_GenerateManifest_GeneratesNoTransitivePackagesAndDeps_ReturnsZeroExitCode()
+    {
+        if (!IsWindows)
+        {
+            Assert.Inconclusive("This test is not (yet) supported on non-Windows platforms.");
+            return;
+        }
+
+        var testFolderPath = CreateTestFolder();
+        GenerateManifestAndValidateSuccess(testFolderPath);
+
+        var originalManifestFolderPath = AppendFullManifestFolderPath(testFolderPath);
+        var originalManifestFilePath = Path.Combine(AppendFullManifestFolderPath(testFolderPath), ManifestFileName);
+
+        var jsonElement = ReadJsonFile(originalManifestFilePath);
+        var packages = jsonElement.GetProperty("packages");
+        var relationships = jsonElement.GetProperty("relationships");
+        Assert.AreEqual(packages.GetArrayLength(), relationships.GetArrayLength(), "The number of relationships should equal the number of packages.");
+    }
+
     [TestMethod]
     public void E2E_GenerateAndRedactManifest_RedactedFileIsSmaller_ReturnsZeroExitCode()
     {