CycloneDX
Dependency warning for root component only
If I create an SBOM with only a root component as follows:
from cyclonedx.model.bom import Bom, BomMetaData
from cyclonedx.model.component import Component
from cyclonedx.output.json import JsonV1Dot6
bom = Bom(metadata=BomMetaData(component=Component(name="test",version="1.2")))
print(JsonV1Dot6(bom).output_as_string())
I get the warning:
/miniforge3/envs/cyclonedx/lib/python3.11/site-packages/cyclonedx/model/bom.py:667: UserWarning: The Component this BOM is describing None has no defined dependencies which means the Dependency Graph is incomplete - you should add direct dependencies to this "root" Component to complete the Dependency Graph data.
warn(
I can validate this SBOM with sbom-utility and to my understanding this is a valid SBOM. There should be no warning, or?
I use version cyclonedx-python-lib version 7.3.4 and Python 3.11.
+1, if I have a self-written product, it's possible that there are no other dependencies, so I don't understand this warning, too.
@weichslgartner / @italvi - can either of you share the generated SBOM which is generating this warning?
@madpah The generated SBOM looks like this:
{
"dependencies": [
{
"ref": "BomRef.14889545775697233.5684912849841712"
}
],
"metadata": {
"component": {
"bom-ref": "BomRef.14889545775697233.5684912849841712",
"name": "test",
"type": "library",
"version": "1.2"
},
"timestamp": "2024-09-04T08:40:12.747535+00:00",
"tools": [
{
"externalReferences": [
{
"type": "build-system",
"url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions"
},
{
"type": "distribution",
"url": "https://pypi.org/project/cyclonedx-python-lib/"
},
{
"type": "documentation",
"url": "https://cyclonedx-python-library.readthedocs.io/"
},
{
"type": "issue-tracker",
"url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues"
},
{
"type": "license",
"url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE"
},
{
"type": "release-notes",
"url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md"
},
{
"type": "vcs",
"url": "https://github.com/CycloneDX/cyclonedx-python-lib"
},
{
"type": "website",
"url": "https://github.com/CycloneDX/cyclonedx-python-lib/#readme"
}
],
"name": "cyclonedx-python-lib",
"vendor": "CycloneDX",
"version": "7.3.4"
}
]
},
"serialNumber": "urn:uuid:fada3ca3-48c5-4c11-b12d-20e3cafcf37f",
"version": 1,
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6"
}
@madpah any updates from your side? Will you further investigate on this topic? I would have provided a similar SBOM to the one @weichslgartner uploaded.
I tried to address the issue in a PR. Feedback is welcome.
@italvi another way would be to surpress the warning as follows:
import warnings
from cyclonedx.model.bom import BomMetaData, Bom
from cyclonedx.model.component import Component
from cyclonedx.output.json import JsonV1Dot6
with warnings.catch_warnings():
warnings.simplefilter('ignore', UserWarning) # Turn UserWarnings into errors
bom = Bom(metadata=BomMetaData(component=Component(name='test', version='1.2')))
print(JsonV1Dot6(bom).output_as_string(indent=4))
the implied reasoning of https://github.com/CycloneDX/cyclonedx-python-lib/pull/720 make sense to me.
- # 2. if root component is set: dependencies should exist for the Component this BOM is describing
- if self.metadata.component and not any(map(
+ # 2. if root component is set and there are other components: dependencies should exist for the Component
+ # this BOM is describing
+ if self.metadata.component and len(self.components) > 0 and not any(map(
lambda d: d.ref == self.metadata.component.bom_ref and len(d.dependencies) > 0, # type: ignore[union-attr]
self.dependencies
)):
we already do not warn, if no metadata component exists. we should also not warn, if no components exist.
PS: given the proposed changes, i'd consider this a non-breaking bug fix. what do you think?
@jkowalleck yes, I also think that is non breaking as it only removes a warning.