Merge pull request #114 from nikstur/vendored-deps-deduplication

Deduplicate components from vendored SBOMs
nikstur · Jul 12, 2024 · 65133f7 · 65133f7
2 parents ac7458f + e3ca2d8
commit 65133f7
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 3 deletions.
diff --git a/flake.nix b/flake.nix
@@ -79,7 +79,7 @@
             nativeCheckInputs = (previousAttrs.nativeCheckInputs or [ ]) ++ [ pkgs.rustfmt ];
             checkPhase = "cargo fmt --check";
           });
-        } // import ./nix/tests { inherit pkgs buildBom; };
+        } // import ./nix/tests { inherit pkgs buildBom passthruVendoredSbom; };
 
         pre-commit = {
           check.enable = true;

diff --git a/nix/tests/default.nix b/nix/tests/default.nix
@@ -1,8 +1,11 @@
 { pkgs
 , buildBom
+, passthruVendoredSbom
 }:
 
 let
+  rustPassthru = pkg: pkgs.callPackage (passthruVendoredSbom.rust pkg) { };
+
   buildtimeOptions = { includeBuildtimeDependencies = true; };
 
   # This list cannot grow indefinitely because building a Bom requires all
@@ -24,6 +27,9 @@ let
 
     { name = "git-extra-paths"; drv = git; options = { extraPaths = [ poetry ]; }; }
     { name = "git-extra-paths-buildtime"; drv = git; options = buildtimeOptions // { extraPaths = [ poetry ]; }; }
+
+    { name = "cloud-hypervisor"; drv = rustPassthru cloud-hypervisor; options = { }; }
+    { name = "cloud-hypervisor"; drv = rustPassthru cloud-hypervisor; options = buildtimeOptions; }
   ];
 
   cycloneDxSpec = pkgs.fetchFromGitHub {

diff --git a/rust/transformer/src/cyclonedx.rs b/rust/transformer/src/cyclonedx.rs
@@ -1,3 +1,4 @@
+use std::collections::BTreeMap;
 use std::convert::Into;
 use std::fs;
 use std::path::Path;
@@ -84,15 +85,35 @@ impl CycloneDXComponents {
 
     /// Extend the `Components` with components read from multiple BOMs inside a directory.
     pub fn extend_from_directory(&mut self, path: impl AsRef<Path>) -> Result<()> {
+        let mut m = BTreeMap::new();
+
+        // Insert the components from the original SBOM
+        for component in self.0 .0.clone() {
+            let key = component
+                .bom_ref
+                .clone()
+                .unwrap_or_else(|| component.name.to_string());
+            m.entry(key).or_insert(component);
+        }
+
+        // Add the components from the vendored SBOMs
         for entry in fs::read_dir(&path)
             .with_context(|| format!("Failed to read {:?}", path.as_ref()))?
             .flatten()
         {
             let bom = CycloneDXBom::from_file(entry.path())?;
-            if let Some(component) = bom.components() {
-                self.0 .0.extend(component.0);
+            if let Some(components) = bom.components() {
+                for component in components.0 {
+                    let key = component
+                        .bom_ref
+                        .clone()
+                        .unwrap_or_else(|| component.name.to_string());
+                    m.entry(key).or_insert(component);
+                }
             }
         }
+
+        self.0 .0 = m.into_values().collect();
         Ok(())
     }
 }