feat: add modelcar main component under components

Containerfile

@@ -20,13 +20,13 @@ RUN pip install --no-cache-dir --upgrade poetry==2.1.2
 ENV POETRY_VIRTUALENVS_IN_PROJECT=true
 
 # Install the package dependencies via Poetry
-RUN poetry install --no-root
+RUN poetry install --no-root --without dev
 
 # Copy the application code into the container
 COPY src/mobster /app/src/mobster
 
 # Install the package
-RUN poetry install
+RUN poetry install --without dev
 
 # Use Red Hat UBI 9 Python base image for the runtime
 FROM registry.access.redhat.com/ubi9/python-312@sha256:e80ff3673c95b91f0dafdbe97afb261eab8244d7fd8b47e20ffcbcfee27fb168

src/mobster/cmd/generate/modelcar.py

@@ -93,6 +93,7 @@ async def to_cyclonedx(self, modelcar: Image, base: Image, model: Image) -> Any:
         # Add the base and model components to the BOM
         document.components.add(base_component)
         document.components.add(model_component)
+        document.components.add(root_component)
 
         # Add the dependencies between the root, base, and model components
         document.dependencies.add(

tests/cmd/generate/test_modelcar.py

@@ -1,6 +1,7 @@
 import json
 import pathlib
 import tempfile
+from typing import Any
 from unittest.mock import MagicMock
 
 import pytest
@@ -73,5 +74,22 @@ async def test_generate_modelcar_sbom(
                 result["metadata"]["timestamp"] = expected_output["metadata"][
                     "timestamp"
                 ]
+                root_bom_ref = result["metadata"]["component"]["bom-ref"]
+                patch_bom_ref(
+                    result,
+                    root_bom_ref,
+                    expected_output["metadata"]["component"]["bom-ref"],
+                )
 
             assert result == expected_output
+
+
+def patch_bom_ref(document: Any, old: str, new: str) -> Any:
+    document["metadata"]["component"]["bom-ref"] = new
+    for component in document["components"]:
+        if component["bom-ref"] == old:
+            component["bom-ref"] = new
+    for dependency in document["dependencies"]:
+        if dependency["ref"] == old:
+            dependency["ref"] = new
+    return document

tests/data/modelcar_sbom.cyclonedx.json

@@ -25,6 +25,19 @@
       "purl": "pkg:oci/model@sha256:087dc7896b97911a582702b45ff1d41ffa3e142d0b000b0fbb11058188293cfc?repository_url=quay.io/example/model",
       "type": "container",
       "version": "v1"
+    },
+    {
+      "bom-ref": "BomRef.modelcar-665ffa505e404dbd7df8918346c1c47bf75f67b8a530f9aa19a89dfc93068c06",
+      "hashes": [
+        {
+          "alg": "SHA-256",
+          "content": "cc6016b62f25d56507033c48b04517ba40b3490b1e9b01f1c485371311ed42c4"
+        }
+      ],
+      "name": "modelcar",
+      "purl": "pkg:oci/modelcar@sha256:cc6016b62f25d56507033c48b04517ba40b3490b1e9b01f1c485371311ed42c4?repository_url=quay.io/example/modelcar",
+      "type": "container",
+      "version": "v22"
     }
   ],
   "dependencies": [