Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(cyclonedx): Avoid a StackOverflowError due to dependency cycles #9591

Merged
merged 1 commit into from
Dec 12, 2024
Merged

fix(cyclonedx): Avoid a StackOverflowError due to dependency cycles #9591

merged 1 commit into from
Dec 12, 2024
+15 −3

Conversation

sschuberth
Copy link
Member

Fixes #9587.

@sschuberth sschuberth requested a review from a team as a code owner December 12, 2024 10:08
@sschuberth sschuberth enabled auto-merge (rebase) December 12, 2024 10:08
@codecov Codecov
Copy link

codecov bot commented Dec 12, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 68.03%. Comparing base (32ab460) to head (cdfd561).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff            @@
##               main    #9591   +/-   ##
=========================================
  Coverage     68.03%   68.03%           
  Complexity     1285     1285           
=========================================
  Files           249      249           
  Lines          8826     8826           
  Branches        920      920           
=========================================
  Hits           6005     6005           
  Misses         2432     2432           
  Partials        389      389
Flag Coverage Δ
test 35.81% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

fviernau
fviernau previously requested changes Dec 12, 2024
View reviewed changes
plugins/reporters/cyclonedx/src/main/kotlin/BomExtensions.kt
@@ -64,7 +73,7 @@ internal fun Bom.addDependencies(input: ReporterInput, parentRef: String, ids: S

ids.forEach { id ->
val directDependencies = input.ortResult.getDependencies(id, maxLevel = 1, omitExcluded = true)
addDependencies(input, id.toCoordinates(), directDependencies)
addDependencies(input, id.toCoordinates(), directDependencies, visited)
Copy link
Member

@fviernau fviernau Dec 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I lack a bit of understanding of the dependency graph, e.g. what a parentRef actually is.
However, can you help understand whether this really only removes cycles or does remove more?

In particular, I'm not sure if visiting a ref in one branch of the tree has effects on another independent e.g. sibling branch of the tree, roughly speaking. (There are recursive calls but all use the same mutable set instead of a copy of it).

Copy link
Member Author

@sschuberth sschuberth Dec 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I lack a bit of understanding of the dependency graph, e.g. what a parentRef actually is.

Please check the CycloneDX docs. The "parent" prefix was my choice, but parentRef is what gets serialized as ref, i.e. it is the thing the following dependencies apply to.

In particular, I'm not sure if visiting a ref in one branch of the tree has effects on another independent e.g. sibling branch of the tree, roughly speaking.

The dependency information in CycloneDX is very simple: As it's recorded directly under the document root, it cannot handle cases where the same "parent" might have different dependencies depending on the branch in the graph, or on the scope of the same project.

So the condition simply avoids recording dependencies for the same parent twice, even if dependencies actually might be different (e.g. due to different version conflict resolution in different scopes of the same project), but there simply is no other way to deal with this in CycloneDX AFAICS.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So the condition simply avoids recording dependencies for the same parent twice, even if dependencies actually might be different (e.g. due to different version conflict resolution in different scopes of the same project), but there simply is no other way to deal with this in CycloneDX AFAICS.

I think that deserves a code comment, I was also wondering why it is ok to use a mutable set here.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've extended the existing comment.

@sschuberth sschuberth requested review from fviernau and a team December 12, 2024 10:35
@fviernau fviernau dismissed their stale review December 12, 2024 10:51

Addressed.

@sschuberth sschuberth disabled auto-merge December 12, 2024 16:48
@sschuberth
Copy link
Member Author

Merging as all relevant test have passed.

@sschuberth sschuberth merged commit 1d0805f into main Dec 12, 2024
22 of 24 checks passed
@sschuberth sschuberth deleted the cdx-avoid-dep-cycles branch December 12, 2024 16:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mnonnenmacher mnonnenmacher mnonnenmacher approved these changes

@fviernau fviernau Awaiting requested review from fviernau

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Stackoverflow error when creating a CycloneDX report with a dependency graph
3 participants
@sschuberth @mnonnenmacher @fviernau