BUG: DejaCode exported CycloneDX SBOM does not retain dependency relationship

[ghsa-retrieval]

Describe the bug
Current DejaCode versions already represent the relationships between packages in a product's inventory and their dependencies with other packages. However, when exporting an SBOM that relationship is not correctly represented in the resulting file. This was tested with CycloneDX as output format.

The resulting file list all packages as if they are direct dependencies. This is incorrect, has some may only be transitive dependencies. This is highly important to get right for regulatory purposes as it indicates who is responsible for fixing issues or updating versions. If it is a direct dependency then the organisation developing the product is directly responsible. However, if a dependency of the product has transitive dependencies where a package is outdated, then the organisation developing the product may have to wait for a patch of that dependency to be released. Furthermore, displaying transitive dependencies as direct dependencies is simply inaccurate for the purpose of software component analysis.

To Reproduce

1. Create a product in DejaCode
2. Generate an SBOM for a product with a tool such as cdxgen, where there are transitive dependencies
3. Use "Actions > Load packages from SBOMs" with "Scan all packages of this product post-import" checked
4. Once the import is completed you should see the inventory populated and dependencies filled
5. Use "Share > CycloneDX" to export an SBOM in format version 1.6
6. Open the SBOM in an editor of your choice an see that all packages are listed as direct dependencies under the key "dependencies" and within that "dependsOn".

Expected behavior
Instead of having all packages listed in "dependsOn" as direct dependencies, they should be listed as follow:

• All dependencies should each have an entry like:

  {
      "ref": "pkg:pkgmanager/example@1.0.0",
      "dependsOn": []
  },
  

• "dependsOn" should reference the PURLs of other packages that they depend on, if any (just like dependencies already do in DejaCode's internal model)

Important: The SBOM import must also ensure that only direct dependencies are listed as packages in the inventory and indirect/transitive dependencies are listed as dependecies. Otherwise this cannot be fixed afterwards. Hence, this issue is related to #122

Screenshots
n.a.

Context (OS, Browser, Device, etc.):
n.a.

[pombredanne]

@ghsa-retrieval thanks for this report. Here is an updated list of related issues:

• DJC: Enhance DejaCode models to support relating dependencies to packages #138
• Enhancement request: Retain transitive relationship between packages when importing SBOM #122
• Introduce "SBOM" as a new data structure in DejaCode #175
• DJC: Store Dependencies as Packages and support multiple dependency types in the DejaCode model #11
• RFC: Design improved relationships for Package, Dependencies, Embeds and Requirements  scancode.io#1066
• load_sbom Pipeline does not import CDX 1.4 dependency data scancode.io#1145

[ghsa-retrieval]

Sorry if this ticket is too similar or has too much overlap.