Change ingestion to use Protobom

- Changed ingestion to use Protobom - Made the visualizer easier to understand
bitbomdev · Aug 21, 2024 · a9e4d5b · a9e4d5b
1 parent f743b5c
commit a9e4d5b
Show file tree

Hide file tree

Showing 4 changed files with 133 additions and 62 deletions.
diff --git a/go.mod b/go.mod
@@ -3,13 +3,13 @@ module github.com/bit-bom/minefield
 go 1.22.5
 
 require (
-	github.com/CycloneDX/cyclonedx-go v0.9.0
 	github.com/RoaringBitmap/roaring v1.9.4
 	github.com/go-echarts/go-echarts/v2 v2.4.1
 	github.com/go-redis/redis/v8 v8.11.5
 	github.com/google/go-cmp v0.6.0
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/package-url/packageurl-go v0.1.3
+	github.com/protobom/protobom v0.4.3
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.9.0
 	go.uber.org/fx v1.22.2
@@ -22,19 +22,23 @@ require (
 )
 
 require (
+	github.com/CycloneDX/cyclonedx-go v0.9.0 // indirect
+	github.com/anchore/go-struct-converter v0.0.0-20230627203149-c72ef8859ca9 // indirect
 	github.com/bits-and-blooms/bitset v1.13.0 // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/kr/pretty v0.3.1 // indirect
 	github.com/mattn/go-runewidth v0.0.9 // indirect
 	github.com/mschoch/smat v0.2.0 // indirect
-	github.com/rogpeppe/go-internal v1.12.0 // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/spdx/tools-golang v0.5.4 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stretchr/objx v0.5.2 // indirect
 	go.uber.org/dig v1.18.0 // indirect
 	go.uber.org/multierr v1.10.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
 	golang.org/x/sys v0.22.0 // indirect
-	golang.org/x/text v0.15.0 // indirect
+	google.golang.org/protobuf v1.34.1 // indirect
+	sigs.k8s.io/release-utils v0.8.2 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -2,15 +2,19 @@ github.com/CycloneDX/cyclonedx-go v0.9.0 h1:inaif7qD8bivyxp7XLgxUYtOXWtDez7+j72q
 github.com/CycloneDX/cyclonedx-go v0.9.0/go.mod h1:NE/EWvzELOFlG6+ljX/QeMlVt9VKcTwu8u0ccsACEsw=
 github.com/RoaringBitmap/roaring v1.9.4 h1:yhEIoH4YezLYT04s1nHehNO64EKFTop/wBhxv2QzDdQ=
 github.com/RoaringBitmap/roaring v1.9.4/go.mod h1:6AXUsoIEzDTFFQCe1RbGA6uFONMhvejWj5rqITANK90=
+github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA=
+github.com/anchore/go-struct-converter v0.0.0-20230627203149-c72ef8859ca9 h1:6COpXWpHbhWM1wgcQN95TdsmrLTba8KQfPgImBXzkjA=
+github.com/anchore/go-struct-converter v0.0.0-20230627203149-c72ef8859ca9/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA=
 github.com/bits-and-blooms/bitset v1.12.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
 github.com/bits-and-blooms/bitset v1.13.0 h1:bAQ9OPNFYbGHV6Nez0tmNI0RiEu7/hxlYJRUA0wFAVE=
 github.com/bits-and-blooms/bitset v1.13.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
+github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
+github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -22,8 +26,11 @@ github.com/go-echarts/go-echarts/v2 v2.4.1 h1:imBFGngJ9zv/2zJVjK3k0uLL+LzyPDgzeV
 github.com/go-echarts/go-echarts/v2 v2.4.1/go.mod h1:56YlvzhW/a+du15f3S2qUGNDfKnFOeJSThBIrVFHDtI=
 github.com/go-redis/redis/v8 v8.11.5 h1:AcZZR7igkdvfVmQTPnu9WE37LRrO/YrBH5zWyjDC0oI=
 github.com/go-redis/redis/v8 v8.11.5/go.mod h1:gREzHqY1hg6oD9ngVRbLStwAWKhA0FEgq8Jd4h5lpwo=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@@ -44,21 +51,30 @@ github.com/onsi/gomega v1.18.1 h1:M1GfJqGRrBrrGGsbxzV5dqM2U2ApXefZCQpkukxYRLE=
 github.com/onsi/gomega v1.18.1/go.mod h1:0q+aL8jAiMXy9hbwj2mr5GziHiwhAIQpFmmtT5hitRs=
 github.com/package-url/packageurl-go v0.1.3 h1:4juMED3hHiz0set3Vq3KeQ75KD1avthoXLtmE3I0PLs=
 github.com/package-url/packageurl-go v0.1.3/go.mod h1:nKAWB8E6uk1MHqiS/lQb9pYBGH2+mdJ2PJc2s50dQY0=
-github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/protobom/protobom v0.4.3 h1:Z1oig/zVUNg1FK/cDqW9MFGdT0thd12FvcX6t8jUUH8=
+github.com/protobom/protobom v0.4.3/go.mod h1:Ky6/lq6BIcVGYCzLHZQTOunX1OiF5W9fPjgrok095VQ=
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
+github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM=
+github.com/spdx/tools-golang v0.5.4 h1:fRW4iz16P1ZCUtWStFqS6YiMgnK7WgfTFU/lrsYlvqY=
+github.com/spdx/tools-golang v0.5.4/go.mod h1:MVIsXx8ZZzaRWNQpUDhC4Dud34edUYJYecciXgrw5vE=
 github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
 github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/terminalstatic/go-xsd-validate v0.1.5 h1:RqpJnf6HGE2CB/lZB1A8BYguk8uRtcvYAPLCF15qguo=
@@ -81,10 +97,13 @@ go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
 go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
 golang.org/x/net v0.0.0-20210428140749-89ef3d95e781 h1:DzZ89McO9/gWPsQXS/FVKAlG02ZjaQ6AlZRBimEYOd0=
 golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
 golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
+google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -95,3 +114,6 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+sigs.k8s.io/release-utils v0.8.2 h1:BKCKabsVkxy/rTRdPeH2t/v2NSU8tMt0fYIWby3hxKQ=
+sigs.k8s.io/release-utils v0.8.2/go.mod h1:u2Si4cUBWo2KBAL+7WB8d/HtwgqgssDAHepYu5+dpQY=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
diff --git a/pkg/graph/visualizer.go b/pkg/graph/visualizer.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"math"
 	"math/rand"
 	"net/http"
 	"time"
@@ -87,7 +88,15 @@ func graphQuery(storage Storage, ids *roaring.Bitmap, query string) (*charts.Gra
 		}
 		if !alreadyCreatedNodes.Contains(id) {
 			alreadyCreatedNodes.Add(id)
-			nodes = append(nodes, opts.GraphNode{SymbolSize: int(max(10, float64(connections)*1.5)), Name: node.Name, ItemStyle: &opts.ItemStyle{Color: "#42b0f5"}, X: float32(rand.Intn(100000)), Y: float32(rand.Intn(100000))})
+			symbolSize := calculateSymbolSize(connections)
+			color := getColorForSize(symbolSize)
+			nodes = append(nodes, opts.GraphNode{
+				SymbolSize: symbolSize,
+				Name:       node.Name,
+				ItemStyle:  &opts.ItemStyle{Color: color},
+				X:          float32(rand.Intn(100000)),
+				Y:          float32(rand.Intn(100000)),
+			})
 		}
 
 	}
@@ -146,3 +155,52 @@ func graphQuery(storage Storage, ids *roaring.Bitmap, query string) (*charts.Gra
 	fmt.Printf("Number of links: %d\n", len(links))
 	return graph, nil
 }
+
+func getColorForSize(size int) string {
+	// Map size to a value between 0 and 1
+	t := math.Max(0, math.Min(1, float64(size-10)/50)) // Clamp t between 0 and 1
+
+	// Define color stops (muted versions)
+	colors := []struct{ r, g, b uint8 }{
+		{139, 0, 0},     // Dark red (smallest nodes)
+		{165, 42, 42},   // Brown
+		{178, 34, 34},   // Firebrick
+		{205, 92, 92},   // Indian red
+		{210, 105, 30},  // Chocolate
+		{205, 133, 63},  // Peru
+		{210, 105, 30},  // Muted orange (middle nodes)
+		{188, 143, 143}, // Rosy brown
+		{199, 21, 133},  // Medium violet red
+		{186, 85, 211},  // Medium orchid (replacing Pale violet red)
+		{255, 20, 147},  // Deep pink (largest nodes)
+	}
+
+	// Find the two colors to interpolate between
+	i := int(t * float64(len(colors)-1))
+	i = int(math.Min(float64(len(colors)-2), float64(i))) // Ensure i is within bounds
+
+	c1, c2 := colors[i], colors[i+1]
+
+	// Interpolate between the two colors
+	f := t*float64(len(colors)-1) - float64(i)
+	r := uint8(float64(c1.r)*(1-f) + float64(c2.r)*f)
+	g := uint8(float64(c1.g)*(1-f) + float64(c2.g)*f)
+	b := uint8(float64(c1.b)*(1-f) + float64(c2.b)*f)
+
+	return fmt.Sprintf("rgb(%d, %d, %d)", r, g, b)
+}
+
+func calculateSymbolSize(connections int) int {
+	if connections == 0 {
+		return 5 // Minimum size for nodes with no connections
+	}
+	// Use logarithmic scale to compress the range
+	logSize := math.Log1p(float64(connections)) // log(x+1) to handle 0 connections
+	// Map the log value to a range between 8 and 80
+	minSize := 8.0
+	maxSize := 80.0
+	maxLogConnections := math.Log1p(1000) // Adjust this based on your max expected connections
+	scaledSize := minSize + math.Pow(logSize/maxLogConnections, 1.5)*(maxSize-minSize)
+	return int(math.Round(scaledSize))
+	// return max(20, connections)
+}
diff --git a/pkg/tools/ingest/sbom.go b/pkg/tools/ingest/sbom.go
@@ -6,11 +6,11 @@ import (
 	"os"
 	"path/filepath"
 
-	cdx "github.com/CycloneDX/cyclonedx-go"
 	"github.com/bit-bom/minefield/pkg/graph"
+	"github.com/protobom/protobom/pkg/reader"
 )
 
-// IngestSBOM ingests a SBOM file or directory into the storages backend.
+// SBOM ingests a SBOM file or directory into the storage backend.
 func SBOM(sbomPath string, storage graph.Storage) error {
 	info, err := os.Stat(sbomPath)
 	if err != nil {
@@ -40,63 +40,34 @@ func processSBOMFile(filePath string, storage graph.Storage) error {
 		return fmt.Errorf("file path is empty")
 	}
 
-	_, err := os.Stat(filePath)
-	if err != nil {
-		return fmt.Errorf("failed to stat file %s: %w", filePath, err)
-	}
-
 	file, err := os.Open(filePath)
 	if err != nil {
-		return err
-	}
-	defer file.Close()
-
-	bom := new(cdx.BOM)
-	decoder := cdx.NewBOMDecoder(file, cdx.BOMFileFormatJSON)
-	if err = decoder.Decode(bom); err != nil {
-		return fmt.Errorf("failed to decode BOM: %w", err)
-	}
-
-	if bom.Metadata == nil || bom.Metadata.Component == nil {
-		return nil
+		return fmt.Errorf("failed to open file %s: %w", filePath, err)
 	}
-	mainBomNodes := []cdx.Component{*bom.Metadata.Component}
-
-	stack := []cdx.Component{*bom.Metadata.Component}
 
-	for len(stack) > 0 {
-		comp := stack[0]
-		stack = stack[1:]
+	// Create a new protobom reader
+	r := reader.New()
 
-		if comp.Components != nil && len(*comp.Components) > 0 {
-			stack = append(stack, *comp.Components...)
-			mainBomNodes = append(mainBomNodes, *comp.Components...)
-		}
+	// Parse the SBOM file
+	document, err := r.ParseFile(filePath)
+	if err != nil {
+		return fmt.Errorf("failed to parse SBOM file %s: %w", filePath, err)
 	}
 
-	var mainPurls []string
-
-	for _, mainBomNode := range mainBomNodes {
-		mainPurl := fmt.Sprintf("pkg:generic/%s", mainBomNode.Name)
-
-		mainPurls = append(mainPurls, mainPurl)
+	// Get the node list from the document
+	nodeList := document.GetNodeList()
+	if nodeList == nil {
+		return nil
 	}
 
-	var mainGraphNodes []*graph.Node
+	// Process each node in the SBOM
 
-	for i := range mainPurls {
-		mainGraphNode, err := graph.AddNode(storage, "library", bom, mainPurls[i])
-		if err != nil {
-			return fmt.Errorf("failed to parse SBOM file %s: %w", filePath, err)
-		}
-		mainGraphNodes = append(mainGraphNodes, mainGraphNode)
-	}
-
-	for _, node := range *bom.Components {
+	nameToId := map[string]uint32{}
 
-		purl := fmt.Sprintf("pkg:generic/%s", node.Name)
+	for _, node := range nodeList.GetNodes() {
+		purl := fmt.Sprintf("pkg:generic/%s", node.GetName())
 
-		graphNode, err := graph.AddNode(storage, "library", any(node), purl)
+		graphNode, err := graph.AddNode(storage, "library", file, purl)
 		if err != nil {
 			if errors.Is(err, graph.ErrNodeAlreadyExists) {
 				// TODO: Add a logger
@@ -106,13 +77,29 @@ func processSBOMFile(filePath string, storage graph.Storage) error {
 			return fmt.Errorf("failed to add node: %w", err)
 		}
 
-		for _, mainGraphNode := range mainGraphNodes {
-			if mainGraphNode.ID == graphNode.ID {
-				continue
+		nameToId[node.Id] = graphNode.ID
+	}
+
+	for _, edge := range nodeList.Edges {
+
+		fromNode, err := storage.GetNode(nameToId[edge.From])
+		if err != nil {
+			return fmt.Errorf("failed to get from node %s: %w", edge.From, err)
+		}
+
+		for _, to := range edge.To {
+
+			toNode, err := storage.GetNode(nameToId[to])
+			if err != nil {
+				return fmt.Errorf("failed to to get node %s: %w", edge.To, err)
 			}
-			if err := mainGraphNode.SetDependency(storage, graphNode); err != nil {
-				return fmt.Errorf("failed to add dependencies: %w", err)
+
+			if fromNode.ID != toNode.ID {
+				if err := fromNode.SetDependency(storage, toNode); err != nil {
+					return fmt.Errorf("failed to add edge %s -> %s: %w", edge.From, to, err)
+				}
 			}
+
 		}
 	}