conan-io
Deprecated - node.dependencies -> node.edges
Hello In conan 2.21+, the internal field of the dependency graph node.dependencies was renamed to node.edges. When attempting to create an SBOM with the command
conan sbom:cyclonedx --format 1.4_json
at the “Computing dependency graph” stage, the script terminates with the error “WARN: deprecated: Node.dependencies is private and shouldn't be used. It is now node.edges. Please fix your code, Node.dependencies will be removed in future versions” which causes the final sbom to lack transitive dependencies and a dependency graph.
This problem can be fixed by renaming dep.dependencies in the file “extensions/commands/sbom/cmd_cyclonedx.py”
before
for dep in deps_graph.nodes:
if filter_context(dep):
bom.register_dependency(components[dep], [components[dep_dep.dst] for dep_dep in dep.dependencies if filter_context(dep_dep.dst)])
return bom
after
for dep in deps_graph.nodes:
if filter_context(dep):
bom.register_dependency(components[dep], [components[dep_dep.dst] for dep_dep in dep.edges if filter_context(dep_dep.dst)])
return bom
Thanks for reporting this @choose-name!
Recall that the CycloneDX functionality has already moved to Conan built-in, the idea is that this extension command is no longer necessary/used. See https://docs.conan.io/2/reference/tools/sbom.html#cyclonedx
As you already did the investigation, maybe you'd like to contribute a PR with the fix? Don't worry if you can't, we can also do it ourselves.
@memsharded, thank you for responding so quickly!
I will create a PR.
Please tell me, is there no plan to support this extension anymore?
I will create a PR.
Great, many thanks!
Please tell me, is there no plan to support this extension anymore?
We don't plan the deprecate and remove it immediately, but yes, the improvements, fixes, etc are happening now on the built-in code, not here in the extension. We don't oppose to contributions and fixes here, but it is not actively developed by the maintainers.