diff --git a/modules/ingestor/src/graph/sbom/cyclonedx.rs b/modules/ingestor/src/graph/sbom/cyclonedx.rs index 0cf3a772..52181f01 100644 --- a/modules/ingestor/src/graph/sbom/cyclonedx.rs +++ b/modules/ingestor/src/graph/sbom/cyclonedx.rs @@ -151,10 +151,13 @@ impl SbomContext { // create relationships for left in sbom.dependencies.iter().flatten() { - // https://github.com/trustification/trustify/issues/1131 - // Do we need to qualify this so that only "arch=src" refs - // get the GeneratedFrom relationship? for target in left.depends_on.iter().flatten() { + log::debug!("Adding dependency - left: {}, right: {}", left.ref_, target); + creator.relate(left.ref_.clone(), Relationship::Dependency, target.clone()); + } + + for target in left.provides.iter().flatten() { + log::debug!("Adding generates - left: {}, right: {}", left.ref_, target); creator.relate(left.ref_.clone(), Relationship::Generates, target.clone()); } } @@ -378,6 +381,32 @@ impl<'a> ComponentCreator<'a> { self.relationships .relate(node_id.clone(), Relationship::Variant, target); } + + for variant in comp + .pedigree + .iter() + .flat_map(|pedigree| pedigree.variants.iter().flatten()) + { + let target = variant + .bom_ref + .clone() + .unwrap_or_else(|| Uuid::new_v4().to_string()); + + // create the component + + let creator = ComponentCreator::new( + self.cpes, + self.purls, + self.licenses, + self.packages, + self.relationships, + ); + + creator.create(variant); + + self.relationships + .relate(node_id.clone(), Relationship::Variant, target); + } } pub fn add_cpe(&mut self, cpe: Cpe) {