fix: replace auto-detected root component with user-provided one#1421
fix: replace auto-detected root component with user-provided one#1421max619 wants to merge 2 commits intoCycloneDX:masterfrom
Conversation
|
so much refactoring for a simple fix? sorry, i don't intent to merge this out-of-scope modification. please revert your changes and only fix the "bug" in the scope of #1418. Thank you in advance. PS: if you want to do design/architecture changes, then please propose them in a dedicated ticket where we can discuss the impact and expected outcome. An implementation of these changes may happen later :-) |
|
@jkowalleck Simplified a bit |
|
@jkowalleck looking forward for your review :) |
|
could you fix those merge conflicts? |
Previously, disabling root component auto-detection while specifying a root component left the auto-detected root in the BOM, with dependencies still attached to it (issue CycloneDX#1418). This change ensures that all instances of the auto-detected root are replaced by the user-provided component using a `componentSubstitutionMap` during component generation. Regression tests were added for that particular case Signed-off-by: Maxim Bagryantsev <maxbag97619@gmail.com>
| * @throws {@link Error} when no component could be fetched | ||
| */ | ||
| makeComponent (pkg: PackageDescription, collectEvidence: boolean, logger?: WebpackLogger): CDX.Models.Component { | ||
| #makeComponent (pkg: PackageDescription, collectEvidence: boolean, rootComponents: RootComponentCreationResult | undefined, logger?: WebpackLogger): CDX.Models.Component { |
There was a problem hiding this comment.
why was this function made private? this is an unexpected change.
| } | ||
|
|
||
| if (rootComponents?.detectedRootComponent !== undefined && doComponentsMatch(component, rootComponents.detectedRootComponent)) { | ||
| component = rootComponents.rootComponent |
There was a problem hiding this comment.
unintended design change.
a "makeSomething" function makes something - no matter what.
it does not cut steps
| packageJson: NonNullable<any> | ||
| } | ||
|
|
||
| export interface RootComponentCreationResult { |
There was a problem hiding this comment.
unintended design.
the function that returns this RootComponentCreationResult is private. so the type definition for this very function should happen where this private function is defined.
| builder: CDX.Builders.FromNodePackageJson.ComponentBuilder, | ||
| logger: WebpackLogger | ||
| ): CDX.Models.Component | undefined { | ||
| ): RootComponentCreationResult | undefined { |
There was a problem hiding this comment.
could you please explain what the idea behind the change of the algorithm of this function makeRootComponent is?
i mean, before, it had a name that pretty much described what it did.
now it does ... what?
There was a problem hiding this comment.
Pull Request Overview
This PR adds a regression test for issue #1418 to verify that rootComponentName correctly overrides the root component and all autodetected instances of it. The implementation tracks both the configured root component and the detected root component, then replaces any dependency components that match the detected root with the configured root component.
Reviewed Changes
Copilot reviewed 13 out of 14 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
tests/integration/setup.js |
Adds 'regression-issue1418' to the test setups list |
tests/integration/regression-issue1418/* |
New regression test setup with webpack config, source files, and package manifests |
tests/integration/index.test.js |
Adds test configuration for the new regression test |
tests/integration/__snapshots__/index.test.js.snap |
Updates snapshots with expected output and fixes for feature-issue1344-no-detect |
src/plugin.ts |
Updates to create and track both root and detected root components |
src/extractor.ts |
Updates component generation to replace detected root with configured root |
src/_helpers.ts |
Adds RootComponentCreationResult interface and doComponentsMatch helper function |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| } | ||
|
|
||
| const rootComponent = builder.makeComponent(rootPackageJson) | ||
| if(rootComponent === undefined) { return undefined } |
There was a problem hiding this comment.
Missing space after 'if' keyword. Should be if (rootComponent === undefined) to maintain consistency with the project's coding style.
| if(rootComponent === undefined) { return undefined } | |
| if (rootComponent === undefined) { return undefined } |
| const rootComponents = this.#makeRootComponent(compilation.compiler.context, cdxComponentBuilder, logger.getChildLogger('RootComponentBuilder')) | ||
| bom.metadata.component = rootComponents?.rootComponent |
There was a problem hiding this comment.
[nitpick] The variable name rootComponents (plural) is misleading as it contains a single root component along with metadata about detection. Consider renaming to rootComponentResult or rootComponentInfo to better reflect that it's a result object rather than a collection.
| const rootComponents = this.#makeRootComponent(compilation.compiler.context, cdxComponentBuilder, logger.getChildLogger('RootComponentBuilder')) | |
| bom.metadata.component = rootComponents?.rootComponent | |
| const rootComponentResult = this.#makeRootComponent(compilation.compiler.context, cdxComponentBuilder, logger.getChildLogger('RootComponentBuilder')) | |
| bom.metadata.component = rootComponentResult?.rootComponent |
| if (detectedRootPackageJson !== rootPackageJson) { | ||
| normalizePackageManifest( | ||
| detectedRootPackageJson, | ||
| w => { logger.debug('normalizePackageJson from PkgPath', path, 'caused:', w) } | ||
| ) | ||
| } |
There was a problem hiding this comment.
Missing null/undefined check for detectedRootPackageJson before calling normalizePackageManifest. If rootComponentAutodetect is false and detectedRootPackageJson is undefined, this will cause a runtime error when the condition is true.
|
this PR was merged into #1456 |
Previously, disabling root component auto-detection while specifying a root component left the auto-detected root in the BOM, with dependencies still attached to it (issue #1418).
This change ensures that all instances of the auto-detected root are replaced by the user-provided component using a
componentSubstitutionMapduring component generation. Also introduced a newRichComponentBuilderto centralize handling of component creation, BOM reference initialization, and PURL assignment, moving relevant logic out ofExtractor.Regression tests were added for that particular case