feat(cyclonedx): support dependency graph (#3177)

Co-authored-by: knqyf263 <[email protected]>

Author: afdesk

integration/client_server_test.go

@@ -57,17 +57,23 @@ func TestClientServer(t *testing.T) {
 			name: "alpine 3.9 with high and critical severity",
 			args: csArgs{
 				IgnoreUnfixed: true,
-				Severity:      []string{"HIGH", "CRITICAL"},
-				Input:         "testdata/fixtures/images/alpine-39.tar.gz",
+				Severity: []string{
+					"HIGH",
+					"CRITICAL",
+				},
+				Input: "testdata/fixtures/images/alpine-39.tar.gz",
 			},
 			golden: "testdata/alpine-39-high-critical.json.golden",
 		},
 		{
 			name: "alpine 3.9 with .trivyignore",
 			args: csArgs{
 				IgnoreUnfixed: false,
-				IgnoreIDs:     []string{"CVE-2019-1549", "CVE-2019-14697"},
-				Input:         "testdata/fixtures/images/alpine-39.tar.gz",
+				IgnoreIDs: []string{
+					"CVE-2019-1549",
+					"CVE-2019-14697",
+				},
+				Input: "testdata/fixtures/images/alpine-39.tar.gz",
 			},
 			golden: "testdata/alpine-39-ignore-cveids.json.golden",
 		},
@@ -401,7 +407,6 @@ func TestClientServerWithCycloneDX(t *testing.T) {
 		args                  csArgs
 		wantComponentsCount   int
 		wantDependenciesCount int
-		wantDependsOnCount    []int
 	}{
 		{
 			name: "fluentd with RubyGems with CycloneDX format",
@@ -410,11 +415,7 @@ func TestClientServerWithCycloneDX(t *testing.T) {
 				Input:  "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz",
 			},
 			wantComponentsCount:   161,
-			wantDependenciesCount: 2,
-			wantDependsOnCount: []int{
-				105,
-				56,
-			},
+			wantDependenciesCount: 80,
 		},
 	}
 
@@ -437,9 +438,6 @@ func TestClientServerWithCycloneDX(t *testing.T) {
 
 			assert.EqualValues(t, tt.wantComponentsCount, len(lo.FromPtr(got.Components)))
 			assert.EqualValues(t, tt.wantDependenciesCount, len(lo.FromPtr(got.Dependencies)))
-			for i, dep := range *got.Dependencies {
-				assert.EqualValues(t, tt.wantDependsOnCount[i], len(lo.FromPtr(dep.Dependencies)))
-			}
 		})
 	}
 }
@@ -577,9 +575,21 @@ func setup(t *testing.T, options setupOptions) (string, string) {
 }
 
 func setupServer(addr, token, tokenHeader, cacheDir, cacheBackend string) []string {
-	osArgs := []string{"--cache-dir", cacheDir, "server", "--skip-update", "--listen", addr}
+	osArgs := []string{
+		"--cache-dir",
+		cacheDir,
+		"server",
+		"--skip-update",
+		"--listen",
+		addr,
+	}
 	if token != "" {
-		osArgs = append(osArgs, []string{"--token", token, "--token-header", tokenHeader}...)
+		osArgs = append(osArgs, []string{
+			"--token",
+			token,
+			"--token-header",
+			tokenHeader,
+		}...)
 	}
 	if cacheBackend != "" {
 		osArgs = append(osArgs, "--cache-backend", cacheBackend)
@@ -595,7 +605,13 @@ func setupClient(t *testing.T, c csArgs, addr string, cacheDir string, golden st
 		c.RemoteAddrOption = "--server"
 	}
 	t.Helper()
-	osArgs := []string{"--cache-dir", cacheDir, c.Command, c.RemoteAddrOption, "http://" + addr}
+	osArgs := []string{
+		"--cache-dir",
+		cacheDir,
+		c.Command,
+		c.RemoteAddrOption,
+		"http://" + addr,
+	}
 
 	if c.Format != "" {
 		osArgs = append(osArgs, "--format", c.Format)

integration/testdata/conda-cyclonedx.json.golden

@@ -80,4 +80,4 @@
     }
   ],
   "vulnerabilities": []
-}
+}

pkg/fanal/types/artifact.go

@@ -134,6 +134,24 @@ func (pkgs Packages) Less(i, j int) bool {
 	return pkgs[i].FilePath < pkgs[j].FilePath
 }
 
+// ParentDeps returns a map where the keys are package IDs and the values are the packages
+// that depend on the respective package ID (parent dependencies).
+func (pkgs Packages) ParentDeps() map[string]Packages {
+	parents := make(map[string]Packages)
+	for _, pkg := range pkgs {
+		for _, dependOn := range pkg.DependsOn {
+			parents[dependOn] = append(parents[dependOn], pkg)
+		}
+	}
+
+	for k, v := range parents {
+		parents[k] = lo.UniqBy(v, func(pkg Package) string {
+			return pkg.ID
+		})
+	}
+	return parents
+}
+
 type SrcPackage struct {
 	Name        string   `json:"name"`
 	Version     string   `json:"version"`

pkg/report/table/vulnerability.go

@@ -146,7 +146,7 @@ func (r *vulnerabilityRenderer) countSeverities(vulns []types.DetectedVulnerabil
 
 func (r *vulnerabilityRenderer) renderDependencyTree() {
 	// Get parents of each dependency
-	parents := reverseDeps(r.result.Packages)
+	parents := ftypes.Packages(r.result.Packages).ParentDeps()
 	if len(parents) == 0 {
 		return
 	}
@@ -232,22 +232,6 @@ func addParents(topItem treeprint.Tree, pkg ftypes.Package, parentMap map[string
 	}
 }
 
-func reverseDeps(pkgs []ftypes.Package) map[string]ftypes.Packages {
-	reversed := make(map[string]ftypes.Packages)
-	for _, pkg := range pkgs {
-		for _, dependOn := range pkg.DependsOn {
-			reversed[dependOn] = append(reversed[dependOn], pkg)
-		}
-	}
-
-	for k, v := range reversed {
-		reversed[k] = lo.UniqBy(v, func(pkg ftypes.Package) string {
-			return pkg.ID
-		})
-	}
-	return reversed
-}
-
 func traverseAncestors(pkgs []ftypes.Package, parentMap map[string]ftypes.Packages) map[string][]string {
 	ancestors := map[string][]string{}
 	for _, pkg := range pkgs {

pkg/sbom/cyclonedx/marshal.go

@@ -192,22 +192,32 @@ func externalRef(bomLink string, bomRef string) (string, error) {
 
 func (e *Marshaler) marshalComponents(r types.Report, bomRef string) (*[]cdx.Component, *[]cdx.Dependency, *[]cdx.Vulnerability, error) {
 	components := make([]cdx.Component, 0) // To export an empty array in JSON
-	var dependencies []cdx.Dependency
+	// we use map to avoid duplicate components
+	dependencies := map[string]cdx.Dependency{}
 	metadataDependencies := make([]string, 0) // To export an empty array in JSON
 	libraryUniqMap := map[string]struct{}{}
 	vulnMap := map[string]cdx.Vulnerability{}
 	for _, result := range r.Results {
 		bomRefMap := map[string]string{}
-		var componentDependencies []string
+		pkgIDToRef := map[string]string{}
+		var directDepRefs []string
+
+		// Get dependency parents first
+		parents := ftypes.Packages(result.Packages).ParentDeps()
+
 		for _, pkg := range result.Packages {
 			pkgComponent, err := pkgToCdxComponent(result.Type, r.Metadata, pkg)
 			if err != nil {
 				return nil, nil, nil, xerrors.Errorf("failed to parse pkg: %w", err)
 			}
 			pkgID := packageID(result.Target, pkg.Name, utils.FormatVersion(pkg), pkg.FilePath)
-			if _, ok := bomRefMap[pkgID]; !ok {
-				bomRefMap[pkgID] = pkgComponent.BOMRef
-				componentDependencies = append(componentDependencies, pkgComponent.BOMRef)
+			bomRefMap[pkgID] = pkgComponent.BOMRef
+			if pkg.ID != "" {
+				pkgIDToRef[pkg.ID] = pkgComponent.BOMRef
+			}
+			// This package is a direct dependency
+			if !pkg.Indirect || len(parents[pkg.ID]) == 0 {
+				directDepRefs = append(directDepRefs, pkgComponent.BOMRef)
 			}
 
 			// When multiple lock files have the same dependency with the same name and version,
@@ -226,12 +236,30 @@ func (e *Marshaler) marshalComponents(r types.Report, bomRef string) (*[]cdx.Com
 
 				// For components
 				// ref. https://cyclonedx.org/use-cases/#inventory
-				//
-				// TODO: All packages are flattened at the moment. We should construct dependency tree.
 				components = append(components, pkgComponent)
 			}
 		}
 
+		// Iterate packages again to build dependency graph
+		for _, pkg := range result.Packages {
+			deps := lo.FilterMap(pkg.DependsOn, func(dep string, _ int) (string, bool) {
+				if ref, ok := pkgIDToRef[dep]; ok {
+					return ref, true
+				}
+				return "", false
+			})
+			if len(deps) == 0 {
+				continue
+			}
+			sort.Strings(deps)
+			ref := pkgIDToRef[pkg.ID]
+			dependencies[ref] = cdx.Dependency{
+				Ref:          ref,
+				Dependencies: &deps,
+			}
+		}
+		sort.Strings(directDepRefs)
+
 		for _, vuln := range result.Vulnerabilities {
 			// Take a bom-ref
 			pkgID := packageID(result.Target, vuln.PkgName, vuln.InstalledVersion, vuln.PkgPath)
@@ -260,7 +288,7 @@ func (e *Marshaler) marshalComponents(r types.Report, bomRef string) (*[]cdx.Com
 			// ref. https://cyclonedx.org/use-cases/#inventory
 
 			// Dependency graph from #1 to #2
-			metadataDependencies = append(metadataDependencies, componentDependencies...)
+			metadataDependencies = append(metadataDependencies, directDepRefs...)
 		} else if result.Class == types.ClassOSPkg || result.Class == types.ClassLangPkg {
 			// If a package is OS package, it will be a dependency of "Operating System" component.
 			// e.g.
@@ -283,29 +311,29 @@ func (e *Marshaler) marshalComponents(r types.Report, bomRef string) (*[]cdx.Com
 			components = append(components, resultComponent)
 
 			// Dependency graph from #2 to #3
-			dependencies = append(dependencies,
-				cdx.Dependency{
-					Ref:          resultComponent.BOMRef,
-					Dependencies: &componentDependencies,
-				},
-			)
-
+			dependencies[resultComponent.BOMRef] = cdx.Dependency{
+				Ref:          resultComponent.BOMRef,
+				Dependencies: &directDepRefs,
+			}
 			// Dependency graph from #1 to #2
 			metadataDependencies = append(metadataDependencies, resultComponent.BOMRef)
 		}
 	}
+
 	vulns := maps.Values(vulnMap)
 	sort.Slice(vulns, func(i, j int) bool {
 		return vulns[i].ID > vulns[j].ID
 	})
 
-	dependencies = append(dependencies,
-		cdx.Dependency{
-			Ref:          bomRef,
-			Dependencies: &metadataDependencies,
-		},
-	)
-	return &components, &dependencies, &vulns, nil
+	dependencies[bomRef] = cdx.Dependency{
+		Ref:          bomRef,
+		Dependencies: &metadataDependencies,
+	}
+	dependencyList := maps.Values(dependencies)
+	sort.Slice(dependencyList, func(i, j int) bool {
+		return dependencyList[i].Ref < dependencyList[j].Ref
+	})
+	return &components, &dependencyList, &vulns, nil
 }
 
 func packageID(target, pkgName, pkgVersion, pkgFilePath string) string {