feat: reproducible output on consecutive runs

[RodneyRichardson]

I would like the tool to create exactly the same output if I run it on the same (Pipfile.lock) input file twice. This would make it easier to detect changes over time.

There are several places where the outputs differ:

1. The bom-ref is a GUID, newly generated on each run. This could be the purl (as cyclonedx-dotnet appears to do).
2. The order of externalReferences is not maintained. This could use an OrderedDictionary instead. (see https://github.com/CycloneDX/cyclonedx-python-lib/pull/235)
3. The order of components/libraries is not maintained. This could use an OrderedDictionary instead. (see https://github.com/CycloneDX/cyclonedx-python-lib/pull/235)

Tested using a Pipfile.lock file.

[RodneyRichardson]

This looks to be an issue with cyclonedx-python-lib. Raised there instead: https://github.com/CycloneDX/cyclonedx-python-lib/issues/227

[RodneyRichardson]

Actually, the choice of bom-ref is made in cyclonedx-python. Reopening to address that part here. The ordering of elements is addressed here: https://github.com/CycloneDX/cyclonedx-python-lib/pull/235

[madpah]

Hi @RodneyRichardson ,

Just cross posting my comment from #361 - totally support points 2 and 3 you raise - best to review my comments on #361 relating to point 1 you raise.

I think it is also worth calling out to the Core Spec Team what your actual Use Case is for "detecting change" between generated BOMs - I'd say that this is a topic that hasn't been considered fully yet with regards to the CDX Specification.

Thoughts @jkowalleck ?

[jkowalleck]

nothing to add.

[rolweber]

For item 1, there's now a command-line argument --purl-bom-ref (-pb). Items 2 and 3 have been addressed by merged PRs.

Can this issue be closed?

[jkowalleck]

re: https://github.com/CycloneDX/cyclonedx-python/issues/355#issuecomment-1351178936 what do you think, @RodneyRichardson ?

[RodneyRichardson]

I think this issue can be closed. In fact, I'll do it now.