work to get (de-)serialization working for Dependencies given CycloneDX/specification#146

Signed-off-by: Paul Horton <[email protected]>

Author: madpah

cyclonedx/model/dependency.py

@@ -18,7 +18,7 @@
 # Copyright (c) OWASP Foundation. All Rights Reserved.
 
 from abc import ABC, abstractmethod
-from typing import Any, Iterable, Optional, Set
+from typing import Any, Iterable, List, Optional, Set
 
 import serializable
 from sortedcontainers import SortedSet
@@ -29,6 +29,24 @@
 from .bom_ref import BomRef
 
 
+class DependencyDependencies(serializable.BaseHelper):  # type: ignore
+
+    @classmethod
+    def serialize(cls, o: object) -> List[str]:
+        if isinstance(o, SortedSet):
+            return list(map(lambda i: str(i.ref), o))
+
+        raise ValueError(f'Attempt to serialize a non-Dependency: {o.__class__}')
+
+    @classmethod
+    def deserialize(cls, o: object) -> Set["Dependency"]:
+        dependencies: Set["Dependency"] = set()
+        if isinstance(o, list):
+            for v in o:
+                dependencies.add(Dependency(ref=BomRef(value=v)))
+        return dependencies
+
+
 @serializable.serializable_class
 class Dependency:
     """
@@ -54,6 +72,7 @@ def ref(self, ref: BomRef) -> None:
 
     @property  # type: ignore[misc]
     @serializable.json_name('dependsOn')
+    @serializable.type_mapping(DependencyDependencies)
     @serializable.xml_array(serializable.XmlArraySerializationType.FLAT, 'dependency')
     def dependencies(self) -> "SortedSet[Dependency]":
         return self._dependencies

poetry.lock

@@ -48,7 +48,7 @@ keywords = [
 python = "^3.7"
 importlib-metadata = { version = ">= 3.4", python = "< 3.8" }
 packageurl-python = ">= 0.9"
-py-serializable = "^0.9.2"
+py-serializable = "^0.10.0"
 setuptools = ">= 47.0.0"
 toml = "^0.10.0"
 sortedcontainers = "^2.4.0"

pyproject.toml

@@ -2,7 +2,7 @@
 # see pyptoject file for ranges
 
 packageurl-python == 0.9.0
-py-serializable == 0.9.2
+py-serializable == 0.10.0
 importlib-metadata == 3.4.0 # ; python_version < '3.8'
 setuptools == 47.0.0
 types-setuptools == 57.0.0

requirements.lowest.txt

@@ -120,15 +120,15 @@ def get_bom_with_component_setuptools_with_release_notes() -> Bom:
 
 def get_bom_with_dependencies_valid() -> Bom:
     c1 = get_component_setuptools_simple()
-    return Bom(components=[
-        c1,
-        get_component_toml_with_hashes_with_references()
-    ], dependencies=[
-        Dependency(ref=c1.bom_ref, dependencies=[
-            Dependency(ref=get_component_toml_with_hashes_with_references().bom_ref)
-        ]),
-        Dependency(ref=get_component_toml_with_hashes_with_references().bom_ref)
-    ])
+    c2 = get_component_toml_with_hashes_with_references()
+    return Bom(
+        components=[c1, c2], dependencies=[
+            Dependency(ref=c1.bom_ref, dependencies=[
+                Dependency(ref=c2.bom_ref)
+            ]),
+            Dependency(ref=c2.bom_ref)
+        ]
+    )
 
 
 def get_bom_with_dependencies_invalid() -> Bom:

tests/data.py

@@ -57,8 +57,7 @@
       ]
     },
     {
-      "ref": "pkg:pypi/[email protected]?extension=tar.gz",
-      "dependsOn": []
+      "ref": "pkg:pypi/[email protected]?extension=tar.gz"
     }
   ]
 }

tests/fixtures/json/1.2/bom_dependencies.json

@@ -57,8 +57,7 @@
       ]
     },
     {
-      "ref": "pkg:pypi/[email protected]?extension=tar.gz",
-      "dependsOn": []
+      "ref": "pkg:pypi/[email protected]?extension=tar.gz"
     }
   ]
 }

tests/fixtures/json/1.2/bom_dependencies_component.json

@@ -51,8 +51,7 @@
       ]
     },
     {
-      "ref": "17e3b199-dc0b-42ef-bfdd-1fa81a1e3eda",
-      "dependsOn": []
+      "ref": "17e3b199-dc0b-42ef-bfdd-1fa81a1e3eda"
     },
     {
       "ref": "0b049d09-64c0-4490-a0f5-c84d9aacf857",
@@ -61,8 +60,7 @@
       ]
     },
     {
-      "ref": "cd3e9c95-9d41-49e7-9924-8cf0465ae789",
-      "dependsOn": []
+      "ref": "cd3e9c95-9d41-49e7-9924-8cf0465ae789"
     }
   ]
 }

tests/fixtures/json/1.2/bom_issue_275_components.json

@@ -63,8 +63,7 @@
       ]
     },
     {
-      "ref": "pkg:pypi/[email protected]?extension=tar.gz",
-      "dependsOn": []
+      "ref": "pkg:pypi/[email protected]?extension=tar.gz"
     }
   ]
 }

tests/fixtures/json/1.3/bom_dependencies.json

@@ -63,8 +63,7 @@
       ]
     },
     {
-      "ref": "pkg:pypi/[email protected]?extension=tar.gz",
-      "dependsOn": []
+      "ref": "pkg:pypi/[email protected]?extension=tar.gz"
     }
   ]
 }

tests/fixtures/json/1.3/bom_dependencies_component.json

@@ -51,8 +51,7 @@
       ]
     },
     {
-      "ref": "17e3b199-dc0b-42ef-bfdd-1fa81a1e3eda",
-      "dependsOn": []
+      "ref": "17e3b199-dc0b-42ef-bfdd-1fa81a1e3eda"
     },
     {
       "ref": "0b049d09-64c0-4490-a0f5-c84d9aacf857",
@@ -61,8 +60,7 @@
       ]
     },
     {
-      "ref": "cd3e9c95-9d41-49e7-9924-8cf0465ae789",
-      "dependsOn": []
+      "ref": "cd3e9c95-9d41-49e7-9924-8cf0465ae789"
     }
   ]
 }

tests/fixtures/json/1.3/bom_issue_275_components.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.4",
-  "serialNumber": "urn:uuid:93b888f9-e5a3-4e72-85ac-12dae1fb1ba8",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
   "version": 1,
   "metadata": {
-    "timestamp": "2023-01-07T13:45:58.745228+00:00",
+    "timestamp": "2023-01-07T13:44:32.312678+00:00",
     "tools": [
       {
         "vendor": "CycloneDX",

tests/fixtures/json/1.4/bom_dependencies.json

@@ -97,8 +97,7 @@
       ]
     },
     {
-      "ref": "pkg:pypi/[email protected]?extension=tar.gz",
-      "dependsOn": []
+      "ref": "pkg:pypi/[email protected]?extension=tar.gz"
     }
   ]
 }