sbom_tools/diff/changes/
components.rs

1//! Component change computer implementation.
2
3use crate::diff::traits::{ChangeComputer, ComponentChangeSet, ComponentMatches};
4use crate::diff::{ComponentChange, CostModel, FieldChange};
5use crate::model::{Component, NormalizedSbom};
6use std::collections::HashSet;
7
8/// Computes component-level changes between SBOMs.
9pub struct ComponentChangeComputer {
10    cost_model: CostModel,
11}
12
13impl ComponentChangeComputer {
14    /// Create a new component change computer with the given cost model.
15    #[must_use] 
16    pub const fn new(cost_model: CostModel) -> Self {
17        Self { cost_model }
18    }
19
20    /// Compute individual field changes between two components.
21    fn compute_field_changes(&self, old: &Component, new: &Component) -> (Vec<FieldChange>, u32) {
22        let mut changes = Vec::new();
23        let mut total_cost = 0u32;
24
25        // Version change
26        if old.version != new.version {
27            changes.push(FieldChange {
28                field: "version".to_string(),
29                old_value: old.version.clone(),
30                new_value: new.version.clone(),
31            });
32            total_cost += self
33                .cost_model
34                .version_change_cost(&old.semver, &new.semver);
35        }
36
37        // License change
38        let old_licenses: HashSet<_> = old
39            .licenses
40            .declared
41            .iter()
42            .map(|l| &l.expression)
43            .collect();
44        let new_licenses: HashSet<_> = new
45            .licenses
46            .declared
47            .iter()
48            .map(|l| &l.expression)
49            .collect();
50        if old_licenses != new_licenses {
51            changes.push(FieldChange {
52                field: "licenses".to_string(),
53                old_value: Some(
54                    old.licenses
55                        .declared
56                        .iter()
57                        .map(|l| l.expression.clone())
58                        .collect::<Vec<_>>()
59                        .join(", "),
60                ),
61                new_value: Some(
62                    new.licenses
63                        .declared
64                        .iter()
65                        .map(|l| l.expression.clone())
66                        .collect::<Vec<_>>()
67                        .join(", "),
68                ),
69            });
70            total_cost += self.cost_model.license_changed;
71        }
72
73        // Supplier change
74        if old.supplier != new.supplier {
75            changes.push(FieldChange {
76                field: "supplier".to_string(),
77                old_value: old.supplier.as_ref().map(|s| s.name.clone()),
78                new_value: new.supplier.as_ref().map(|s| s.name.clone()),
79            });
80            total_cost += self.cost_model.supplier_changed;
81        }
82
83        // Hash change (same version but different hash = integrity concern)
84        if old.version == new.version && !old.hashes.is_empty() && !new.hashes.is_empty() {
85            let old_hashes: HashSet<_> = old.hashes.iter().map(|h| &h.value).collect();
86            let new_hashes: HashSet<_> = new.hashes.iter().map(|h| &h.value).collect();
87            if old_hashes.is_disjoint(&new_hashes) {
88                changes.push(FieldChange {
89                    field: "hashes".to_string(),
90                    old_value: Some(
91                        old.hashes
92                            .first()
93                            .map(|h| h.value.clone())
94                            .unwrap_or_default(),
95                    ),
96                    new_value: Some(
97                        new.hashes
98                            .first()
99                            .map(|h| h.value.clone())
100                            .unwrap_or_default(),
101                    ),
102                });
103                total_cost += self.cost_model.hash_mismatch;
104            }
105        }
106
107        (changes, total_cost)
108    }
109}
110
111impl Default for ComponentChangeComputer {
112    fn default() -> Self {
113        Self::new(CostModel::default())
114    }
115}
116
117impl ChangeComputer for ComponentChangeComputer {
118    type ChangeSet = ComponentChangeSet;
119
120    fn compute(
121        &self,
122        old: &NormalizedSbom,
123        new: &NormalizedSbom,
124        matches: &ComponentMatches,
125    ) -> ComponentChangeSet {
126        let mut result = ComponentChangeSet::new();
127        let matched_new_ids: HashSet<_> = matches.values().filter_map(std::clone::Clone::clone).collect();
128
129        // Find removed components
130        for (old_id, new_id_opt) in matches {
131            if new_id_opt.is_none()
132                && let Some(old_comp) = old.components.get(old_id) {
133                    result.removed.push(ComponentChange::removed(
134                        old_comp,
135                        self.cost_model.component_removed,
136                    ));
137                }
138        }
139
140        // Find added components
141        for new_id in new.components.keys() {
142            if !matched_new_ids.contains(new_id)
143                && let Some(new_comp) = new.components.get(new_id) {
144                    result.added.push(ComponentChange::added(
145                        new_comp,
146                        self.cost_model.component_added,
147                    ));
148                }
149        }
150
151        // Find modified components
152        for (old_id, new_id_opt) in matches {
153            if let Some(new_id) = new_id_opt
154                && let (Some(old_comp), Some(new_comp)) =
155                    (old.components.get(old_id), new.components.get(new_id))
156                {
157                    // Check if component was actually modified
158                    if old_comp.content_hash != new_comp.content_hash {
159                        let (field_changes, cost) = self.compute_field_changes(old_comp, new_comp);
160                        if !field_changes.is_empty() {
161                            result.modified.push(ComponentChange::modified(
162                                old_comp,
163                                new_comp,
164                                field_changes,
165                                cost,
166                            ));
167                        }
168                    }
169                }
170        }
171
172        result
173    }
174
175    fn name(&self) -> &'static str {
176        "ComponentChangeComputer"
177    }
178}
179
180#[cfg(test)]
181mod tests {
182    use super::*;
183
184    #[test]
185    fn test_component_change_computer_default() {
186        let computer = ComponentChangeComputer::default();
187        assert_eq!(computer.name(), "ComponentChangeComputer");
188    }
189
190    #[test]
191    fn test_empty_sboms() {
192        let computer = ComponentChangeComputer::default();
193        let old = NormalizedSbom::default();
194        let new = NormalizedSbom::default();
195        let matches = ComponentMatches::new();
196
197        let result = computer.compute(&old, &new, &matches);
198        assert!(result.is_empty());
199    }
200}
sbom_tools/diff/changes/components.rs

sbom_tools/diff/changes/
components.rs
