-
Notifications
You must be signed in to change notification settings - Fork 314
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Capture the dependency graph in CycloneDX BOMs #3906
Comments
Hey, we really would like to see see that this feature gets implemented.
|
While CycloneDX's `Dependency` data structure would allow for a nested graph approach, [1] says that "Graphs with one node of depth are recommended", so each `Dependency` entry only lists its own respective direct dependencies. Resolves #3906. [1]: https://cyclonedx.org/use-cases/#dependency-graph Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
@sschuberth: Thanks for your work. Unfortunately I get a stackoverflow error with ort v43.0.0 - maybe because of a lot of definition files?
|
Same Issue with 16GiB RAM:
|
Even large dependency trees should not cause a stackoverflow, if size was a problem I would expect an out of memory error. |
I was quite sure that the dependency graph implementation breaks cycles, but I'll double-check. |
So when ort/model/src/main/kotlin/utils/DependencyGraphBuilder.kt Lines 176 to 189 in dcc97a0
But I'm not sure how it is for package managers that have not been converted yet, and that use a graph that is just converted from the tree... @mawl which package managers does the analyzer find in your case? |
It's a test CI Job where we have collected show cases for different scenarios and issues in the past. There are "14 files defining 977 unique dependencies within 11 scopes and 22 dependency levels." I will write unique test jobs for the package managers mentioned above, to find out in which package manager it occurs. |
Out of these, GoMod, NuGet and PIP / PNPM / Poetry do not use the dependency graph yet. Probably a good reason to continue working on #3825. |
Anyway, please direct any further comments to #9587. |
Since the CycloneDX 1.2 spec, the dependency graph moved from an extension to a core feature. So after #3897 is merged, we could make use of it as the hierarchy of dependencies is valuable additional information.
The text was updated successfully, but these errors were encountered: