feat!: BomRef affect equality/comparisson (#754)

For some this is considered a bug-fix, for others this is a feature - it
is a breaking change anyway since it modifies the order of things.

----

TODO:
- [x] **every** symbol that has a property `bom-ref` MUST utilize it for
dunder methods `hash`,`eq`,`gt`,`lt`,...
- [x] add new test cases from #753
- [x] add new test cases from #540
- [x] add new test cases from #677
- [x] create new tests snapshots (if applicable)

----

> [!important]
> depends on #755

supersedes #678
closes #678

fixes #753
fixes #540
fixes #677

---------

Signed-off-by: wkoot <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Co-authored-by: wkoot <[email protected]>

Author: jkowalleck

cyclonedx/model/component.py

@@ -1774,6 +1774,7 @@ def get_pypi_url(self) -> str:
     def __comparable_tuple(self) -> _ComparableTuple:
         return _ComparableTuple((
             self.type, self.group, self.name, self.version,
+            self.bom_ref.value,
             None if self.purl is None else _ComparablePackageURL(self.purl),
             self.swid, self.cpe, _ComparableTuple(self.swhids),
             self.supplier, self.author, self.publisher,

cyclonedx/model/contact.py

@@ -163,10 +163,10 @@ def street_address(self, street_address: Optional[str]) -> None:
 
     def __comparable_tuple(self) -> _ComparableTuple:
         return _ComparableTuple((
-            self.bom_ref,
             self.country, self.region, self.locality, self.postal_code,
             self.post_office_box_number,
-            self.street_address
+            self.street_address,
+            None if self.bom_ref is None else self.bom_ref.value,
         ))
 
     def __eq__(self, other: object) -> bool:

cyclonedx/model/definition.py

@@ -256,7 +256,7 @@ def external_references(self, external_references: Iterable[ExternalReference])
     def __comparable_tuple(self) -> _ComparableTuple:
         # all properties are optional - so need to compare all, in hope that one is unique
         return _ComparableTuple((
-            self.bom_ref, self.identifier,
+            self.identifier, self.bom_ref.value,
             self.title, self.text,
             _ComparableTuple(self.descriptions),
             _ComparableTuple(self.open_cre), self.parent, _ComparableTuple(self.properties),
@@ -373,7 +373,9 @@ def requirements(self, requirements: Iterable[Union[str, BomRef]]) -> None:
     def __comparable_tuple(self) -> _ComparableTuple:
         # all properties are optional - so need to compare all, in hope that one is unique
         return _ComparableTuple((
-            self.bom_ref, self.identifier, self.title, self.description, _ComparableTuple(self.requirements)
+            self.identifier, self.bom_ref.value,
+            self.title, self.description,
+            _ComparableTuple(self.requirements)
         ))
 
     def __lt__(self, other: Any) -> bool:
@@ -545,8 +547,9 @@ def external_references(self, external_references: Iterable[ExternalReference])
     def __comparable_tuple(self) -> _ComparableTuple:
         # all properties are optional - so need to apply all, in hope that one is unique
         return _ComparableTuple((
-            self.bom_ref,
-            self.name, self.version, self.description, self.owner,
+            self.name, self.version,
+            self.bom_ref.value,
+            self.description, self.owner,
             _ComparableTuple(self.requirements), _ComparableTuple(self.levels),
             _ComparableTuple(self.external_references)
         ))

cyclonedx/model/service.py

@@ -355,6 +355,7 @@ def release_notes(self, release_notes: Optional[ReleaseNotes]) -> None:
     def __comparable_tuple(self) -> _ComparableTuple:
         return _ComparableTuple((
             self.group, self.name, self.version,
+            self.bom_ref.value,
             self.provider, self.description,
             self.authenticated, _ComparableTuple(self.data), _ComparableTuple(self.endpoints),
             _ComparableTuple(self.external_references), _ComparableTuple(self.licenses),

cyclonedx/model/vulnerability.py

@@ -1334,7 +1334,7 @@ def properties(self, properties: Iterable[Property]) -> None:
 
     def __comparable_tuple(self) -> _ComparableTuple:
         return _ComparableTuple((
-            self.id,
+            self.id, self.bom_ref.value,
             self.source, _ComparableTuple(self.references),
             _ComparableTuple(self.ratings), _ComparableTuple(self.cwes), self.description,
             self.detail, self.recommendation, self.workaround, _ComparableTuple(self.advisories),

tests/_data/models.py

@@ -1401,6 +1401,37 @@ def get_bom_with_definitions_and_detailed_standards() -> Bom:
         ]))
 
 
+def get_bom_for_issue540_duplicate_components() -> Bom:
+    # tests https://github.com/CycloneDX/cyclonedx-python-lib/issues/540
+    bom = _make_bom()
+    bom.metadata.component = root_component = Component(
+        name='myApp',
+        type=ComponentType.APPLICATION,
+        bom_ref='myApp'
+    )
+    component1 = Component(
+        type=ComponentType.LIBRARY,
+        name='some-component',
+        bom_ref='some-component'
+    )
+    bom.components.add(component1)
+    bom.register_dependency(root_component, [component1])
+    component2 = Component(
+        type=ComponentType.LIBRARY,
+        name='some-library',
+        bom_ref='some-library1'
+    )
+    bom.components.add(component2)
+    bom.register_dependency(component1, [component2])
+    component3 = Component(
+        type=ComponentType.LIBRARY,
+        name='some-library',
+        bom_ref='some-library2'
+    )
+    bom.components.add(component3)
+    bom.register_dependency(component1, [component3])
+    return bom
+
 # ---
 
 

tests/_data/own/json/1.5/issue677.json

@@ -0,0 +1,20 @@
+<?xml version="1.0" ?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.0" version="1">
+  <components>
+    <component type="library">
+      <name>some-component</name>
+      <version/>
+      <modified>false</modified>
+    </component>
+    <component type="library">
+      <name>some-library</name>
+      <version/>
+      <modified>false</modified>
+    </component>
+    <component type="library">
+      <name>some-library</name>
+      <version/>
+      <modified>false</modified>
+    </component>
+  </components>
+</bom>

tests/_data/own/json/1.5/issue753.json

@@ -0,0 +1,17 @@
+<?xml version="1.0" ?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.1" serialNumber="urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac" version="1">
+  <components>
+    <component type="library" bom-ref="some-component">
+      <name>some-component</name>
+      <version/>
+    </component>
+    <component type="library" bom-ref="some-library1">
+      <name>some-library</name>
+      <version/>
+    </component>
+    <component type="library" bom-ref="some-library2">
+      <name>some-library</name>
+      <version/>
+    </component>
+  </components>
+</bom>

tests/_data/snapshots/get_bom_for_issue540_duplicate_components-1.0.xml.bin

@@ -0,0 +1,57 @@
+{
+  "components": [
+    {
+      "bom-ref": "some-component",
+      "name": "some-component",
+      "type": "library",
+      "version": ""
+    },
+    {
+      "bom-ref": "some-library1",
+      "name": "some-library",
+      "type": "library",
+      "version": ""
+    },
+    {
+      "bom-ref": "some-library2",
+      "name": "some-library",
+      "type": "library",
+      "version": ""
+    }
+  ],
+  "dependencies": [
+    {
+      "dependsOn": [
+        "some-component"
+      ],
+      "ref": "myApp"
+    },
+    {
+      "dependsOn": [
+        "some-library1",
+        "some-library2"
+      ],
+      "ref": "some-component"
+    },
+    {
+      "ref": "some-library1"
+    },
+    {
+      "ref": "some-library2"
+    }
+  ],
+  "metadata": {
+    "component": {
+      "bom-ref": "myApp",
+      "name": "myApp",
+      "type": "application",
+      "version": ""
+    },
+    "timestamp": "2023-01-07T13:44:32.312678+00:00"
+  },
+  "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac",
+  "version": 1,
+  "$schema": "http://cyclonedx.org/schema/bom-1.2b.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.2"
+}

tests/_data/snapshots/get_bom_for_issue540_duplicate_components-1.1.xml.bin

@@ -0,0 +1,35 @@
+<?xml version="1.0" ?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.2" serialNumber="urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac" version="1">
+  <metadata>
+    <timestamp>2023-01-07T13:44:32.312678+00:00</timestamp>
+    <component type="application" bom-ref="myApp">
+      <name>myApp</name>
+      <version/>
+    </component>
+  </metadata>
+  <components>
+    <component type="library" bom-ref="some-component">
+      <name>some-component</name>
+      <version/>
+    </component>
+    <component type="library" bom-ref="some-library1">
+      <name>some-library</name>
+      <version/>
+    </component>
+    <component type="library" bom-ref="some-library2">
+      <name>some-library</name>
+      <version/>
+    </component>
+  </components>
+  <dependencies>
+    <dependency ref="myApp">
+      <dependency ref="some-component"/>
+    </dependency>
+    <dependency ref="some-component">
+      <dependency ref="some-library1"/>
+      <dependency ref="some-library2"/>
+    </dependency>
+    <dependency ref="some-library1"/>
+    <dependency ref="some-library2"/>
+  </dependencies>
+</bom>

tests/_data/snapshots/get_bom_for_issue540_duplicate_components-1.2.json.bin

@@ -0,0 +1,57 @@
+{
+  "components": [
+    {
+      "bom-ref": "some-component",
+      "name": "some-component",
+      "type": "library",
+      "version": ""
+    },
+    {
+      "bom-ref": "some-library1",
+      "name": "some-library",
+      "type": "library",
+      "version": ""
+    },
+    {
+      "bom-ref": "some-library2",
+      "name": "some-library",
+      "type": "library",
+      "version": ""
+    }
+  ],
+  "dependencies": [
+    {
+      "dependsOn": [
+        "some-component"
+      ],
+      "ref": "myApp"
+    },
+    {
+      "dependsOn": [
+        "some-library1",
+        "some-library2"
+      ],
+      "ref": "some-component"
+    },
+    {
+      "ref": "some-library1"
+    },
+    {
+      "ref": "some-library2"
+    }
+  ],
+  "metadata": {
+    "component": {
+      "bom-ref": "myApp",
+      "name": "myApp",
+      "type": "application",
+      "version": ""
+    },
+    "timestamp": "2023-01-07T13:44:32.312678+00:00"
+  },
+  "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac",
+  "version": 1,
+  "$schema": "http://cyclonedx.org/schema/bom-1.3a.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.3"
+}