Serialization of nested Components with Dependencies drops transitive dependencies #328
Description
I am not sure if this is a bug or just a misunderstanding how Component nesting and Dependencies interact.
I have a nested BOM with multiple components that also declare dependencies between each other along the nesting hierarchy, like in the code below. An example of such a structure would be some framework with multiple applications that have dependencies on a bunch of 3rd party libraries.
from cyclonedx.model.bom import Bom
from cyclonedx.model.component import Component
from cyclonedx.output import get_instance, OutputFormat, SchemaVersion
bom = Bom()
a = Component(name='A', version='0.1')
b = Component(name='B', version='1.0')
c = Component(name='C', version='1.0')
# Make a tree of components A -> B -> C
b.components = [c]
a.components = [b]
# Declare dependencies the same way
b.dependencies = [c.bom_ref]
a.dependencies = [b.bom_ref]
bom.components = [a]
inst = get_instance(
bom=bom,
output_format=OutputFormat["XML"],
schema_version=SchemaVersion["V1_4"],
)
inst.output_to_file("bom.xml")This results in the following XML output (for components and dependencies):
<components>
<component type="library" bom-ref="94768548-3a6b-4bb4-a3c2-db26327b0439">
<name>A</name>
<version>0.1</version>
<components>
<component type="library" bom-ref="285caf07-c4f6-4652-ae7d-39bc53b3a10c">
<name>B</name>
<version>1.0</version>
<components>
<component type="library" bom-ref="742e60fa-19f5-4dff-ac94-69c5d9a28e91">
<name>C</name>
<version>1.0</version>
</component>
</components>
</component>
</components>
</component>
</components>
<dependencies>
<dependency ref="94768548-3a6b-4bb4-a3c2-db26327b0439">
<dependency ref="285caf07-c4f6-4652-ae7d-39bc53b3a10c" />
</dependency>
</dependencies>The dependency of B on C is dropped in the serialization.
I would have expected the serialization to preserve the dependencies of the nested components as well.