-
-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix metadata tools components #304
Fix metadata tools components #304
Conversation
Signed-off-by: andreas hilti <andreas.hilti@bluewin.ch>
40735fb
to
59a2da3
Compare
@@ -230,6 +236,22 @@ public static Bom HierarchicalMerge(IEnumerable<Bom> boms, Component bomSubject) | |||
{ | |||
result.Metadata.Tools.Tools.AddRange(bom.Metadata.Tools.Tools); | |||
} | |||
if (bom.Metadata?.Tools?.Components?.Count > 0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How should components/services in the tools be handled for a hierarchical merge?
Should they be flat merged or namespaced?
(At the moment, I just append, which can lead to duplicates.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to make sure: What exactly do you mean by "namespaced"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What I mean is the following:
Let's say you have this tool in both BOMs that you merge:
{
"bom-ref":"tool1",
"type": "application",
"name": "tool1",
"version": "1"
}
What should be the resulting tools?
What I meant with "flat merge" is: there would be a single tool exactly as above.
What I meant with "namespaced" is: there would be two tools, one with a bom-ref "thing1@tool1" and the other with "thing2@tool1" (if thing1 and thing2 are the main components of the two merged BOMs).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(The problem with the flat merge is that if two different tools happen to use the same bom-ref, this will invalidate the uniqueness of the bom-ref in the merged BOM.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I understand it, the components themselves are also namespaces in hierarchical merges, so it makes only sense to apply the same logic to tool-components.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have adapted it.
Compare also #280. |
Signed-off-by: andreas hilti <andreas.hilti@bluewin.ch>
Signed-off-by: andreas hilti <andreas.hilti@bluewin.ch>
Signed-off-by: andreas hilti <andreas.hilti@bluewin.ch>
Helps to address: CycloneDX/cyclonedx-cli#371