sbom-tools 0.1.18

Semantic SBOM diff and analysis tool
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334

//! Fuzzy matching configuration.

use serde::{Deserialize, Serialize};

/// Configuration for fuzzy matching behavior.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct FuzzyMatchConfig {
    /// Minimum confidence threshold (0.0 - 1.0)
    pub threshold: f64,
    /// Weight for Levenshtein distance component
    pub levenshtein_weight: f64,
    /// Weight for Jaro-Winkler similarity component
    pub jaro_winkler_weight: f64,
    /// Whether to use alias table lookups
    pub use_aliases: bool,
    /// Whether to use ecosystem-specific rules
    pub use_ecosystem_rules: bool,
    /// Maximum candidates to consider for fuzzy matching
    pub max_candidates: usize,
    /// Multi-field scoring weights (optional, enables multi-field matching when set)
    #[serde(default)]
    pub field_weights: Option<MultiFieldWeights>,
}

/// Weights for multi-field scoring.
///
/// All weights should sum to 1.0 for normalized scoring.
/// Fields with weight 0.0 are ignored in matching.
///
/// Penalty fields (negative values) are applied on top of the weighted score
/// to penalize mismatches more strongly.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct MultiFieldWeights {
    /// Weight for name similarity (primary field)
    pub name: f64,
    /// Weight for version match (exact match gives full score)
    pub version: f64,
    /// Weight for ecosystem match (exact match gives full score)
    pub ecosystem: f64,
    /// Weight for license overlap (Jaccard similarity of license sets)
    pub licenses: f64,
    /// Weight for supplier/publisher match
    pub supplier: f64,
    /// Weight for group/namespace match
    pub group: f64,

    // Penalty fields (applied on top of weighted score)
    /// Penalty applied when ecosystems are different (negative value, e.g., -0.15)
    #[serde(default)]
    pub ecosystem_mismatch_penalty: f64,
    /// Enable graduated version scoring based on semver distance
    #[serde(default = "default_true")]
    pub version_divergence_enabled: bool,
    /// Penalty per major version difference (e.g., 0.10 = 10% per major)
    #[serde(default = "default_version_major_penalty")]
    pub version_major_penalty: f64,
    /// Penalty per minor version difference, capped (e.g., 0.02 = 2% per minor)
    #[serde(default = "default_version_minor_penalty")]
    pub version_minor_penalty: f64,
}

const fn default_true() -> bool {
    true
}

const fn default_version_major_penalty() -> f64 {
    0.10
}

const fn default_version_minor_penalty() -> f64 {
    0.02
}

impl MultiFieldWeights {
    /// Default weights emphasizing name matching.
    #[must_use]
    pub const fn name_focused() -> Self {
        Self {
            name: 0.80,
            version: 0.05,
            ecosystem: 0.10,
            licenses: 0.03,
            supplier: 0.01,
            group: 0.01,
            ecosystem_mismatch_penalty: -0.15,
            version_divergence_enabled: true,
            version_major_penalty: 0.10,
            version_minor_penalty: 0.02,
        }
    }

    /// Balanced weights across all fields.
    #[must_use]
    pub const fn balanced() -> Self {
        Self {
            name: 0.60,
            version: 0.10,
            ecosystem: 0.15,
            licenses: 0.08,
            supplier: 0.04,
            group: 0.03,
            ecosystem_mismatch_penalty: -0.15, // Applied on top of weighted score
            version_divergence_enabled: true,
            version_major_penalty: 0.10,
            version_minor_penalty: 0.02,
        }
    }

    /// Weights for security-focused matching (emphasizes ecosystem and version).
    #[must_use]
    pub const fn security_focused() -> Self {
        Self {
            name: 0.50,
            version: 0.20,
            ecosystem: 0.20,
            licenses: 0.05,
            supplier: 0.03,
            group: 0.02,
            ecosystem_mismatch_penalty: -0.25, // Stricter penalty
            version_divergence_enabled: true,
            version_major_penalty: 0.15, // Higher penalty for major version diff
            version_minor_penalty: 0.03,
        }
    }

    /// Legacy weights with no penalties (for backward compatibility).
    ///
    /// Use this preset when you want the old binary scoring behavior
    /// without ecosystem mismatch penalties or version divergence scoring.
    #[must_use]
    pub const fn legacy() -> Self {
        Self {
            name: 0.60,
            version: 0.10,
            ecosystem: 0.15,
            licenses: 0.08,
            supplier: 0.04,
            group: 0.03,
            ecosystem_mismatch_penalty: 0.0,   // No penalty
            version_divergence_enabled: false, // Binary scoring
            version_major_penalty: 0.0,
            version_minor_penalty: 0.0,
        }
    }

    /// Check if weights are properly normalized (sum to ~1.0).
    /// Note: Penalty fields are not included in normalization check.
    #[must_use]
    pub fn is_normalized(&self) -> bool {
        let sum =
            self.name + self.version + self.ecosystem + self.licenses + self.supplier + self.group;
        (sum - 1.0).abs() < 0.001
    }

    /// Normalize weights to sum to 1.0.
    /// Note: Penalty fields are not affected by normalization.
    pub fn normalize(&mut self) {
        let sum =
            self.name + self.version + self.ecosystem + self.licenses + self.supplier + self.group;
        if sum > 0.0 {
            self.name /= sum;
            self.version /= sum;
            self.ecosystem /= sum;
            self.licenses /= sum;
            self.supplier /= sum;
            self.group /= sum;
        }
    }
}

impl Default for MultiFieldWeights {
    fn default() -> Self {
        Self::balanced()
    }
}

impl FuzzyMatchConfig {
    /// Strict matching for security-critical scenarios
    #[must_use]
    pub const fn strict() -> Self {
        Self {
            threshold: 0.95,
            levenshtein_weight: 0.5,
            jaro_winkler_weight: 0.5,
            use_aliases: true,
            use_ecosystem_rules: true,
            max_candidates: 100,
            field_weights: None, // Single-field (name) matching by default
        }
    }

    /// Balanced matching for general diff operations
    #[must_use]
    pub const fn balanced() -> Self {
        Self {
            threshold: 0.85,
            levenshtein_weight: 0.4,
            jaro_winkler_weight: 0.6,
            use_aliases: true,
            use_ecosystem_rules: true,
            max_candidates: 500,
            field_weights: None, // Single-field (name) matching by default
        }
    }

    /// Permissive matching for discovery/exploration
    #[must_use]
    pub const fn permissive() -> Self {
        Self {
            threshold: 0.70,
            levenshtein_weight: 0.3,
            jaro_winkler_weight: 0.7,
            use_aliases: true,
            use_ecosystem_rules: true,
            max_candidates: 1000,
            field_weights: None, // Single-field (name) matching by default
        }
    }

    /// Enable multi-field scoring with the given weights.
    #[must_use]
    pub const fn with_multi_field(mut self, weights: MultiFieldWeights) -> Self {
        self.field_weights = Some(weights);
        self
    }

    /// Set a custom threshold value.
    #[must_use]
    pub const fn with_threshold(mut self, threshold: f64) -> Self {
        self.threshold = threshold;
        self
    }

    /// Strict matching with multi-field scoring for security scenarios.
    #[must_use]
    pub const fn strict_multi_field() -> Self {
        Self::strict().with_multi_field(MultiFieldWeights::security_focused())
    }

    /// Balanced matching with multi-field scoring.
    #[must_use]
    pub const fn balanced_multi_field() -> Self {
        Self::balanced().with_multi_field(MultiFieldWeights::balanced())
    }

    /// Create config from a preset name.
    ///
    /// Supported presets:
    /// - "strict", "balanced", "permissive" - single-field (name only)
    /// - "strict-multi", "balanced-multi" - multi-field scoring enabled
    #[must_use]
    pub fn from_preset(name: &str) -> Option<Self> {
        match name.to_lowercase().as_str() {
            "strict" => Some(Self::strict()),
            "balanced" => Some(Self::balanced()),
            "permissive" => Some(Self::permissive()),
            "strict-multi" | "strict_multi" => Some(Self::strict_multi_field()),
            "balanced-multi" | "balanced_multi" => Some(Self::balanced_multi_field()),
            _ => None,
        }
    }
}

impl Default for FuzzyMatchConfig {
    fn default() -> Self {
        Self::balanced()
    }
}

/// Configuration for cross-ecosystem matching.
///
/// Cross-ecosystem matching allows components to be matched across different
/// package ecosystems (e.g., npm vs `PyPI`) when they represent the same
/// underlying library. This is enabled by default with conservative settings.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CrossEcosystemConfig {
    /// Whether cross-ecosystem matching is enabled
    pub enabled: bool,
    /// Minimum score required for cross-ecosystem matches
    pub min_score: f64,
    /// Score penalty applied to cross-ecosystem matches
    pub score_penalty: f64,
    /// Maximum number of cross-ecosystem candidates per component
    pub max_candidates: usize,
    /// Only use verified cross-ecosystem mappings (stricter)
    pub verified_only: bool,
}

impl Default for CrossEcosystemConfig {
    fn default() -> Self {
        Self {
            enabled: true,
            min_score: 0.80,
            score_penalty: 0.10,
            max_candidates: 10,
            verified_only: false,
        }
    }
}

impl CrossEcosystemConfig {
    /// Disabled cross-ecosystem matching.
    #[must_use]
    pub fn disabled() -> Self {
        Self {
            enabled: false,
            ..Default::default()
        }
    }

    /// Strict settings for high-confidence matches only.
    #[must_use]
    pub const fn strict() -> Self {
        Self {
            enabled: true,
            min_score: 0.90,
            score_penalty: 0.15,
            max_candidates: 5,
            verified_only: true,
        }
    }

    /// Permissive settings for discovery/exploration.
    #[must_use]
    pub const fn permissive() -> Self {
        Self {
            enabled: true,
            min_score: 0.70,
            score_penalty: 0.05,
            max_candidates: 20,
            verified_only: false,
        }
    }
}