fix: lossless flattening of dependency graph during JSON serialization#993
Conversation
Relates to #941. Signed-off-by: stefan6419846 <96178532+stefan6419846@users.noreply.github.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Documentation build overview
7 files changed ·
|
Up to standards ✅🟢 Issues
|
| Metric | Results |
|---|---|
| Complexity | 17 |
| Duplication | 1 |
🟢 Coverage 100.00% diff coverage
Metric Results Coverage variation Report missing for a8579b81 Diff coverage ✅ 100.00% diff coverage (80.00%) Coverage variation details
Coverable lines Covered lines Coverage Common ancestor commit (a8579b8) Report Missing Report Missing Report Missing Head commit (76f1830) 6079 5729 94.24% Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch:
<coverage of head commit> - <coverage of common ancestor commit>Diff coverage details
Coverable lines Covered lines Diff coverage Pull request (#993) 3 3 100.00% Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified:
<covered lines added or modified>/<coverable lines added or modified> * 100%1 Codacy didn't receive coverage data for the commit, or there was an error processing the received data. Check your integration for errors and validate that your coverage setup is correct.
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
![github-code-quality[bot]](https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
|
@stefan6419846 see this proposed fix for #941 Implementation is working as expected. if you have additional test cases, just pull-request them to the branch of this PR. |
There was a problem hiding this comment.
Pull request overview
This PR addresses #941 by ensuring nested cyclonedx.model.dependency.Dependency graphs are flattened into the CycloneDX JSON-required “flat list of nodes” form during JSON rendering, so nested dependency information is not silently lost.
Changes:
- Added a
BomDependencyGraphFlatMergerutility (context manager) to flatten/merge nested dependency trees into a flat dependency list. - Wrapped JSON output generation with the dependency flattener to produce correct JSON
dependenciesoutput. - Added tests + new snapshot fixtures covering the nested-dependency scenario across schema versions.
Reviewed changes
Copilot reviewed 20 out of 21 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
cyclonedx/output/json.py |
Applies dependency flattening during JSON generation via a context manager. |
cyclonedx/contrib/bom/utils.py |
Introduces BomDependencyGraphFlatMerger to flatten/merge nested dependency graphs. |
cyclonedx/contrib/bom/__init__.py |
Adds contrib BOM package marker/docstring. |
tests/test_contrib/test_bom_utils.py |
Adds unit tests for flatten/merge + reset behavior. |
tests/test_contrib/__init__.py |
Adds test package marker. |
tests/_data/models.py |
Adds a new BOM factory reproducing issue #941. |
tests/_data/snapshots/*issue941* |
Adds expected XML/JSON snapshots demonstrating correct serialization output. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
This PR shall be split in two:
|
jkowalleck
changed the title
jkowalleck
changed the title
jkowalleck
changed the title
Description
flatten nested dependency tree when rendering JSON.
Resolves or fixes issue: #941
AI Tool Disclosure
[e.g. GitHub CoPilot, ChatGPT, JetBrains Junie etc.][e.g. GPT-4.1, Claude Haiku 4.5, Gemini 2.5 Pro etc.][Summarize the key prompts or instructions given to the AI tools]Affirmation