sbom-tools 0.1.18

Semantic SBOM diff and analysis tool
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132

//! Dependency change computer implementation.

use crate::diff::DependencyChange;
use crate::diff::traits::{ChangeComputer, ComponentMatches, DependencyChangeSet};
use crate::model::NormalizedSbom;
use std::collections::HashSet;

/// Computes dependency-level changes between SBOMs.
pub struct DependencyChangeComputer;

impl DependencyChangeComputer {
    /// Create a new dependency change computer.
    #[must_use]
    pub const fn new() -> Self {
        Self
    }
}

impl Default for DependencyChangeComputer {
    fn default() -> Self {
        Self::new()
    }
}

impl ChangeComputer for DependencyChangeComputer {
    type ChangeSet = DependencyChangeSet;

    fn compute(
        &self,
        old: &NormalizedSbom,
        new: &NormalizedSbom,
        matches: &ComponentMatches,
    ) -> DependencyChangeSet {
        let mut result = DependencyChangeSet::new();

        // Edge key includes (from, to, relationship, scope) for full identity comparison
        type EdgeKey = (String, String, String, Option<String>);

        // Map old edges to their canonical form for comparison
        let mut normalized_old_edges: HashSet<EdgeKey> = HashSet::new();
        for edge in &old.edges {
            let from = matches
                .get(&edge.from)
                .and_then(|v| v.as_ref())
                .map_or_else(|| edge.from.to_string(), std::string::ToString::to_string);
            let to = matches
                .get(&edge.to)
                .and_then(|v| v.as_ref())
                .map_or_else(|| edge.to.to_string(), std::string::ToString::to_string);
            normalized_old_edges.insert((
                from,
                to,
                edge.relationship.to_string(),
                edge.scope.as_ref().map(std::string::ToString::to_string),
            ));
        }

        // Find added dependencies
        for edge in &new.edges {
            let key: EdgeKey = (
                edge.from.to_string(),
                edge.to.to_string(),
                edge.relationship.to_string(),
                edge.scope.as_ref().map(std::string::ToString::to_string),
            );
            if !normalized_old_edges.contains(&key) {
                result.added.push(DependencyChange::added(edge));
            }
        }

        // Map new edges for comparison with old
        let mut normalized_new_edges: HashSet<EdgeKey> = HashSet::new();
        for edge in &new.edges {
            normalized_new_edges.insert((
                edge.from.to_string(),
                edge.to.to_string(),
                edge.relationship.to_string(),
                edge.scope.as_ref().map(std::string::ToString::to_string),
            ));
        }

        // Find removed dependencies
        for edge in &old.edges {
            let from = matches
                .get(&edge.from)
                .and_then(|v| v.as_ref())
                .map_or_else(|| edge.from.to_string(), std::string::ToString::to_string);
            let to = matches
                .get(&edge.to)
                .and_then(|v| v.as_ref())
                .map_or_else(|| edge.to.to_string(), std::string::ToString::to_string);

            let key: EdgeKey = (
                from,
                to,
                edge.relationship.to_string(),
                edge.scope.as_ref().map(std::string::ToString::to_string),
            );
            if !normalized_new_edges.contains(&key) {
                result.removed.push(DependencyChange::removed(edge));
            }
        }

        result
    }

    fn name(&self) -> &'static str {
        "DependencyChangeComputer"
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_dependency_change_computer_default() {
        let computer = DependencyChangeComputer;
        assert_eq!(computer.name(), "DependencyChangeComputer");
    }

    #[test]
    fn test_empty_sboms() {
        let computer = DependencyChangeComputer;
        let old = NormalizedSbom::default();
        let new = NormalizedSbom::default();
        let matches = ComponentMatches::new();

        let result = computer.compute(&old, &new, &matches);
        assert!(result.is_empty());
    }
}