Skip to content

Commit

Permalink
feat(spdx): Deal with cycles in dependency relations
Browse files Browse the repository at this point in the history
Circular dependency relations caused the SPDX package manager to run
in a stack overflow. Avoid this by detecting cyclic dependencies and
handle them gracefully.

Signed-off-by: Oliver Heger <oliver.heger@bosch.io>
  • Loading branch information
oheger-bosch authored and sschuberth committed Oct 24, 2024
1 parent d169fae commit c9d2a49
Show file tree
Hide file tree
Showing 4 changed files with 354 additions and 9 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
SPDXID: "SPDXRef-DOCUMENT"
spdxVersion: "SPDX-2.2"
creationInfo:
created: "2020-07-23T18:30:22Z"
creators:
- "Organization: Example Inc."
- "Person: Thomas Steenbergen"
licenseListVersion: "3.9"
name: "xyz-0.1.0"
dataLicense: "CC0-1.0"
documentNamespace: "http://spdx.org/spdxdocs/spdx-document-xyz"
documentDescribes:
- "SPDXRef-Package-xyz"
packages:
- SPDXID: "SPDXRef-Package-xyz"
description: "Awesome product created by Example Inc."
copyrightText: "Copyright (C) 2020 Example Inc."
downloadLocation: "git+ssh://gitlab.example.com:3389/products/xyz.git@b2c358080011af6a366d2512a25a379fbe7b1f78"
filesAnalyzed: false
homepage: "https://example.com/products/xyz"
licenseConcluded: "NOASSERTION"
licenseDeclared: "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc"
name: "xyz"
versionInfo: "0.1.0"
originator: "Person: Thomas Steenbergen"
- SPDXID: "SPDXRef-Package-abc-lib"
description: "Awesome library created by Example Inc."
copyrightText: "Copyright (C) 2020 Example Inc."
downloadLocation: "git+ssh://gitlab.example.com:3389/products/abc.git@b2c358080011af6a366d2512a25a379fbe7b1f78"
filesAnalyzed: false
homepage: "https://example.com/products/abc"
licenseConcluded: "NOASSERTION"
licenseDeclared: "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc"
name: "abc"
versionInfo: "0.1.1"
originator: "Person: Thomas Steenbergen"
- SPDXID: "SPDXRef-Package-def-lib"
description: "Another awesome library created by Example Inc."
copyrightText: "Copyright (C) 2020 Example Inc."
downloadLocation: "git+ssh://gitlab.example.com:3389/products/def.git@b2c358080011af6a366d2512a25a379fbe7b1f78"
filesAnalyzed: false
homepage: "https://example.com/products/def"
licenseConcluded: "NOASSERTION"
licenseDeclared: "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc"
name: "def"
versionInfo: "0.1.0"
originator: "Person: Thomas Steenbergen"
- SPDXID: "SPDXRef-Package-curl"
description: "A command line tool and library for transferring data with URL syntax, supporting \
HTTP, HTTPS, FTP, FTPS, GOPHER, TFTP, SCP, SFTP, SMB, TELNET, DICT, LDAP, LDAPS, MQTT, FILE, \
IMAP, SMTP, POP3, RTSP and RTMP. libcurl offers a myriad of powerful features."
copyrightText: "Copyright (c) 1996 - 2020, Daniel Stenberg, <daniel@haxx.se>, and many
contributors, see the THANKS file."
downloadLocation: "https://github.com/curl/curl/releases/download/curl-7_70_0/curl-7.70.0.tar.gz"
externalRefs:
- referenceCategory: "SECURITY"
referenceLocator: "cpe:2.3:a:http:curl:7.70.0:*:*:*:*:*:*:*"
referenceType: "cpe23Type"
filesAnalyzed: false
homepage: "https://curl.haxx.se/"
licenseConcluded: "NOASSERTION"
licenseDeclared: "curl"
name: "curl"
versionInfo: "7.70.0"
originator: "Person: Daniel Stenberg (daniel@haxx.se)"
packageFileName: "../libs/curl"
- SPDXID: "SPDXRef-Package-openssl"
description: "OpenSSL is a robust, commercial-grade, full-featured Open Source Toolkit for the \
Transport Layer Security (TLS) protocol formerly known as the Secure Sockets Layer (SSL) \
protocol. The protocol implementation is based on a full-strength general purpose cryptographic \
library, which can also be used stand-alone."
copyrightText: "copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved."
downloadLocation: "git+ssh://github.com/openssl/openssl.git@e2e09d9fba1187f8d6aafaa34d4172f56f1ffb72"
externalRefs:
- referenceCategory: "PACKAGE_MANAGER"
referenceLocator: "pkg:a-name/openssl@1.1.1g"
referenceType: "purl"
- referenceCategory: "SECURITY"
referenceLocator: "cpe:2.3:a:a-name:openssl:1.1.1g:*:*:*:*:*:*:*"
referenceType: "cpe23Type"
filesAnalyzed: false
homepage: "https://www.openssl.org/"
licenseConcluded: "NOASSERTION"
licenseDeclared: "Apache-2.0"
name: "openssl"
versionInfo: "1.1.1g"
originator: "Organization: OpenSSL Development Team"
packageFileName: "../libs/openssl"
- SPDXID: "SPDXRef-Package-zlib"
description: "zlib 1.2.11 is a general purpose data compression library."
copyrightText: "(C) 1995-2017 Jean-loup Gailly and Mark Adler"
downloadLocation: "http://zlib.net/zlib-1.2.11.tar.gz"
externalRefs:
- referenceCategory: "SECURITY"
referenceLocator: "cpe:/a:compress:zlib:1.2.11:::en-us"
referenceType: "cpe22Type"
filesAnalyzed: false
homepage: "http://zlib.net"
licenseConcluded: "NOASSERTION"
licenseDeclared: "Zlib"
name: "zlib"
versionInfo: "1.2.11"
originator: "Person: Mark Adler, Jean-loup Gailly"
packageFileName: "../libs/zlib"
relationships:
- spdxElementId: "SPDXRef-Package-curl"
relationshipType: "TEST_DEPENDENCY_OF"
relatedSpdxElement: "SPDXRef-Package-xyz"
- spdxElementId: "SPDXRef-Package-xyz"
relationshipType: "DEPENDS_ON"
relatedSpdxElement: "SPDXRef-Package-openssl"
- spdxElementId: "SPDXRef-Package-xyz"
relationshipType: "DYNAMIC_LINK"
relatedSpdxElement: "SPDXRef-Package-curl"
- spdxElementId: "SPDXRef-Package-xyz"
relationshipType: "STATIC_LINK"
relatedSpdxElement: "SPDXRef-Package-zlib"
- spdxElementId: "SPDXRef-Package-xyz"
relationshipType: "DYNAMIC_LINK"
relatedSpdxElement: "SPDXRef-Package-abc-lib"
- spdxElementId: "SPDXRef-Package-abc-lib"
relationshipType: "DYNAMIC_LINK"
relatedSpdxElement: "SPDXRef-Package-def-lib"
- spdxElementId: "SPDXRef-Package-def-lib"
relationshipType: "DEPENDS_ON"
relatedSpdxElement: "SPDXRef-Package-xyz"
Original file line number Diff line number Diff line change
@@ -0,0 +1,196 @@
---
project:
id: "SpdxDocumentFile::xyz:0.1.0"
definition_file_path: "<REPLACE_DEFINITION_FILE_PATH>"
authors:
- "Thomas Steenbergen"
declared_licenses:
- "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc"
declared_licenses_processed:
spdx_expression: "Apache-2.0 AND LicenseRef-Proprietary-ExampleInc AND curl"
vcs:
type: "Git"
url: "<REPLACE_URL_PROCESSED>"
revision: "<REPLACE_REVISION>"
path: "<REPLACE_PATH>"
vcs_processed:
type: "Git"
url: "<REPLACE_URL_PROCESSED>"
revision: "<REPLACE_REVISION>"
path: "<REPLACE_PATH>"
homepage_url: "https://example.com/products/xyz"
scopes:
- name: "default"
dependencies:
- id: "SpdxDocumentFile::abc:0.1.1"
dependencies:
- id: "SpdxDocumentFile::def:0.1.0"
dependencies:
- id: "SpdxDocumentFile::xyz:0.1.0"
- id: "SpdxDocumentFile::zlib:1.2.11"
linkage: "STATIC"
- id: "SpdxDocumentFile:OpenSSL Development Team:openssl:1.1.1g"
- name: "test"
dependencies:
- id: "SpdxDocumentFile::curl:7.70.0"
packages:
- id: "SpdxDocumentFile::abc:0.1.1"
purl: "pkg:generic/abc@0.1.1"
authors:
- "Thomas Steenbergen"
declared_licenses:
- "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc"
declared_licenses_processed:
spdx_expression: "Apache-2.0 AND LicenseRef-Proprietary-ExampleInc AND curl"
description: "Awesome library created by Example Inc."
homepage_url: "https://example.com/products/abc"
binary_artifact:
url: ""
hash:
value: ""
algorithm: ""
source_artifact:
url: ""
hash:
value: ""
algorithm: ""
vcs:
type: "Git"
url: "<REPLACE_URL>"
revision: "<REPLACE_REVISION>"
path: "plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/cyclic-references"
vcs_processed:
type: "Git"
url: "<REPLACE_URL_PROCESSED>"
revision: "<REPLACE_REVISION>"
path: "plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/cyclic-references"
- id: "SpdxDocumentFile::curl:7.70.0"
purl: "pkg:generic/curl@7.70.0?download_url=https://github.com/curl/curl/releases/download/curl-7_70_0/curl-7.70.0.tar.gz"
cpe: "cpe:2.3:a:http:curl:7.70.0:*:*:*:*:*:*:*"
authors:
- "Daniel Stenberg (daniel@haxx.se)"
declared_licenses:
- "curl"
declared_licenses_processed:
spdx_expression: "curl"
description: "A command line tool and library for transferring data with URL syntax,\
\ supporting HTTP, HTTPS, FTP, FTPS, GOPHER, TFTP, SCP, SFTP, SMB, TELNET, DICT,\
\ LDAP, LDAPS, MQTT, FILE, IMAP, SMTP, POP3, RTSP and RTMP. libcurl offers a myriad\
\ of powerful features."
homepage_url: "https://curl.haxx.se/"
binary_artifact:
url: ""
hash:
value: ""
algorithm: ""
source_artifact:
url: "https://github.com/curl/curl/releases/download/curl-7_70_0/curl-7.70.0.tar.gz"
hash:
value: ""
algorithm: ""
vcs:
type: "Git"
url: "<REPLACE_URL>"
revision: "<REPLACE_REVISION>"
path: "plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/libs/curl"
vcs_processed:
type: "Git"
url: "<REPLACE_URL_PROCESSED>"
revision: "<REPLACE_REVISION>"
path: "plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/libs/curl"
- id: "SpdxDocumentFile::def:0.1.0"
purl: "pkg:generic/def@0.1.0"
authors:
- "Thomas Steenbergen"
declared_licenses:
- "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc"
declared_licenses_processed:
spdx_expression: "Apache-2.0 AND LicenseRef-Proprietary-ExampleInc AND curl"
description: "Another awesome library created by Example Inc."
homepage_url: "https://example.com/products/def"
binary_artifact:
url: ""
hash:
value: ""
algorithm: ""
source_artifact:
url: ""
hash:
value: ""
algorithm: ""
vcs:
type: "Git"
url: "<REPLACE_URL>"
revision: "<REPLACE_REVISION>"
path: "plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/cyclic-references"
vcs_processed:
type: "Git"
url: "<REPLACE_URL_PROCESSED>"
revision: "<REPLACE_REVISION>"
path: "plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/cyclic-references"
- id: "SpdxDocumentFile::zlib:1.2.11"
purl: "pkg:generic/zlib@1.2.11?download_url=http://zlib.net/zlib-1.2.11.tar.gz"
cpe: "cpe:/a:compress:zlib:1.2.11:::en-us"
authors:
- "Jean-loup Gailly"
- "Mark Adler"
declared_licenses:
- "Zlib"
declared_licenses_processed:
spdx_expression: "Zlib"
description: "zlib 1.2.11 is a general purpose data compression library."
homepage_url: "http://zlib.net"
binary_artifact:
url: ""
hash:
value: ""
algorithm: ""
source_artifact:
url: "http://zlib.net/zlib-1.2.11.tar.gz"
hash:
value: ""
algorithm: ""
vcs:
type: "Git"
url: "<REPLACE_URL>"
revision: "<REPLACE_REVISION>"
path: "plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/libs/zlib"
vcs_processed:
type: "Git"
url: "<REPLACE_URL_PROCESSED>"
revision: "<REPLACE_REVISION>"
path: "plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/libs/zlib"
- id: "SpdxDocumentFile:OpenSSL Development Team:openssl:1.1.1g"
purl: "pkg:a-name/openssl@1.1.1g"
cpe: "cpe:2.3:a:a-name:openssl:1.1.1g:*:*:*:*:*:*:*"
authors:
- "OpenSSL Development Team"
declared_licenses:
- "Apache-2.0"
declared_licenses_processed:
spdx_expression: "Apache-2.0"
description: "OpenSSL is a robust, commercial-grade, full-featured Open Source Toolkit\
\ for the Transport Layer Security (TLS) protocol formerly known as the Secure\
\ Sockets Layer (SSL) protocol. The protocol implementation is based on a full-strength\
\ general purpose cryptographic library, which can also be used stand-alone."
homepage_url: "https://www.openssl.org/"
binary_artifact:
url: ""
hash:
value: ""
algorithm: ""
source_artifact:
url: ""
hash:
value: ""
algorithm: ""
vcs:
type: "Git"
url: "<REPLACE_URL>"
revision: "<REPLACE_REVISION>"
path: "plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/libs/openssl"
vcs_processed:
type: "Git"
url: "<REPLACE_URL_PROCESSED>"
revision: "<REPLACE_REVISION>"
path: "plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/libs/openssl"
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,17 @@ class SpdxDocumentFileFunTest : WordSpec({
result.toYaml() should matchExpectedResult(expectedResultFile, definitionFile)
}
}

"handle cycles in dependencies gracefully" {
val definitionFile = projectDir.resolve("cyclic-references/project-cyclic.spdx.yml")
val expectedResultFile = getAssetFile(
"projects/synthetic/spdx-project-cyclic-expected-output.yml"
)

val actualResult = create("SpdxDocumentFile").resolveSingleProject(definitionFile).toYaml()

actualResult should matchExpectedResult(expectedResultFile, definitionFile)
}
}

"mapDefinitionFiles()" should {
Expand Down
Loading

0 comments on commit c9d2a49

Please sign in to comment.