Merge branch 'main' into copilot/fix-1093

JoseRenan · web-flow · commit 09bf8fdf63f7 · 2025-07-16T10:04:36.000-07:00
diff --git a/src/Microsoft.Sbom.Api/Hashing/Algorithms/Sha1HashAlgorithm.cs b/src/Microsoft.Sbom.Api/Hashing/Algorithms/Sha1HashAlgorithm.cs
@@ -12,5 +12,5 @@ namespace Microsoft.Sbom.Api.Hashing.Algorithms;
 #pragma warning disable CA5350 // Suppress Do Not Use Weak Cryptographic Algorithms as we use SHA1 intentionally
 public class Sha1HashAlgorithm : IHashAlgorithm
 {
-    public byte[] ComputeHash(Stream stream) => SHA1.Create().ComputeHash(stream);
+    public byte[] ComputeHash(Stream stream) => SHA1.Create().ComputeHash(stream); // CodeQL [SM02196] Sha1 is required per the SPDX spec.
 }
diff --git a/src/Microsoft.Sbom.Contracts/Contracts/Enums/AlgorithmName.cs b/src/Microsoft.Sbom.Contracts/Contracts/Enums/AlgorithmName.cs
@@ -97,7 +97,7 @@ public static AlgorithmName FromString(string name)
     /// Gets equivalent to <see cref="HashAlgorithmName.SHA1"/>.
     /// </summary>
 #pragma warning disable CA5350 // Suppress Do Not Use Weak Cryptographic Algorithms as we use SHA1 intentionally
-    public static AlgorithmName SHA1 => new AlgorithmName(nameof(SHA1), stream => System.Security.Cryptography.SHA1.Create().ComputeHash(stream));
+    public static AlgorithmName SHA1 => new AlgorithmName(nameof(SHA1), stream => System.Security.Cryptography.SHA1.Create().ComputeHash(stream)); // CodeQL [SM02196] Sha1 is required per the SPDX spec.
 #pragma warning restore CA5350
 
     /// <summary>
diff --git a/src/Microsoft.Sbom.Extensions/MergeableContentExtensions.cs b/src/Microsoft.Sbom.Extensions/MergeableContentExtensions.cs
@@ -10,13 +10,100 @@ namespace Microsoft.Sbom.Extensions;
 
 public static class MergeableContentExtensions
 {
-    public static IEnumerable<SbomPackage> ToMergedPackages(this IEnumerable<MergeableContent> contents)
+    /// <summary>
+    /// Merges multiple <see cref="MergeableContent"/> instances into a distinct collection of <see cref="SbomPackage"/>
+    /// objects, including their transitive dependencies.
+    /// </summary>
+    public static IEnumerable<SbomPackage> ToMergedPackages(this IEnumerable<MergeableContent> mergeableContents)
     {
-        if (contents == null)
+        ArgumentNullException.ThrowIfNull(mergeableContents, nameof(mergeableContents));
+
+        var distinctPackages = mergeableContents.CollectDistinctPackages();
+
+        var distinctDependencies = mergeableContents.CollectDistinctDependencies(distinctPackages);
+
+        var packageCallersDictionary = BuildPackageCallersDictionary(distinctDependencies);
+
+        // Save the callers in the list of packages
+        UpdatePackageDependencies(distinctPackages, packageCallersDictionary);
+
+        return distinctPackages;
+    }
+
+    /// <summary>
+    /// Collect the distinct set of packages from all of the MergeableContent objects. In the future, this code
+    /// will also merge the package data, creating a single package that contains the most complete information
+    /// that is available to us. For now, it simply returns 1 package (the first we encounter) per unique Id.
+    /// </summary>
+    private static IEnumerable<SbomPackage> CollectDistinctPackages(this IEnumerable<MergeableContent> mergeableContents)
+    {
+        return mergeableContents
+            .SelectMany(c => c.Packages)
+            .GroupBy(p => p.Id)
+            .Select(g => g.First());
+    }
+
+    /// <summary>
+    /// Collect the distinct set of package relationships from all of the MergeableContent objects.
+    /// </summary>
+    private static IEnumerable<KeyValuePair<string, string>> CollectDistinctDependencies(
+        this IEnumerable<MergeableContent> mergeableContents, IEnumerable<SbomPackage> distinctPackages)
+    {
+        var dependencies = new List<KeyValuePair<string, string>>();
+        foreach (var mergeableContent in mergeableContents)
         {
-            throw new ArgumentNullException(nameof(contents));
+            dependencies.AddRange(mergeableContent.Relationships
+                .Select(r => new KeyValuePair<string, string>(r.SourceElementId, r.TargetElementId)));
         }
 
-        return contents.SelectMany(c => c.Packages).Distinct();
+        return dependencies.Distinct();
+    }
+
+    /// <summary>
+    /// Create a dictionary that maps each package ID to a set of the package IDs that depend on it.
+    /// </summary>
+    private static IReadOnlyDictionary<string, ISet<string>> BuildPackageCallersDictionary(IEnumerable<KeyValuePair<string, string>> uniqueDependencies)
+    {
+        var packageCallersDictionary = new Dictionary<string, ISet<string>>();
+
+        // Build the list of callers for each package.
+        foreach (var dependency in uniqueDependencies)
+        {
+            // Skip the root package reference, which needs to translate to a null entry in the dictionary.
+            // This constant is the same as Microsoft.Sbom.Api.Constants.SPDXRefRootPackage, but we get
+            // into a dependency cycle if we try to reference it from here.
+            if (dependency.Key == "SPDXRef-RootPackage")
+            {
+                continue;
+            }
+
+            if (!packageCallersDictionary.TryGetValue(dependency.Value, out var callers))
+            {
+                callers = new HashSet<string>();
+                packageCallersDictionary.Add(dependency.Value, callers);
+            }
+
+            callers.Add(dependency.Key);
+        }
+
+        return packageCallersDictionary;
+    }
+
+    /// <summary>
+    /// Apply the dependency mappings from the packageCallersDictionary to the distinctPackages.
+    /// </summary>
+    private static void UpdatePackageDependencies(IEnumerable<SbomPackage> distinctPackages, IReadOnlyDictionary<string, ISet<string>> packageCallersDictionary)
+    {
+        foreach (var package in distinctPackages)
+        {
+            if (packageCallersDictionary.TryGetValue(package.Id, out var callers))
+            {
+                package.DependOn = callers.ToList();
+            }
+            else
+            {
+                package.DependOn = null;
+            }
+        }
     }
 }
diff --git a/src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Generator.cs b/src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Generator.cs
@@ -8,6 +8,7 @@
 using System.Text;
 using System.Text.Json;
 using Microsoft.Sbom.Common;
+using Microsoft.Sbom.Common.Config;
 using Microsoft.Sbom.Common.Utils;
 using Microsoft.Sbom.Contracts;
 using Microsoft.Sbom.Contracts.Enums;
@@ -25,6 +26,8 @@ namespace Microsoft.Sbom.Parsers.Spdx22SbomParser;
 /// </summary>
 public class Generator : IManifestGenerator
 {
+    private readonly IConfiguration configuration;
+
     public AlgorithmName[] RequiredHashAlgorithms => new[] { AlgorithmName.SHA256, AlgorithmName.SHA1 };
 
     public string Version { get; set; } = string.Join("-", Constants.SPDXName, Constants.SPDXVersion);
@@ -37,6 +40,11 @@ public class Generator : IManifestGenerator
 
     public string ExternalDocumentRefArrayHeaderName => Constants.ExternalDocumentRefArrayHeaderName;
 
+    public Generator(IConfiguration configuration)
+    {
+        this.configuration = configuration ?? throw new ArgumentNullException(nameof(configuration));
+    }
+
     public GenerationResult GenerateJsonDocument(InternalSbomFileInfo fileInfo)
     {
         if (fileInfo is null)
@@ -161,7 +169,7 @@ public GenerationResult GenerateJsonDocument(SbomPackage packageInfo)
 
         var dependOnIds = (packageInfo.DependOn ?? Enumerable.Empty<string>())
                             .Where(id => id is not null)
-                            .Select(id => id == Constants.RootPackageIdValue ? id : CommonSPDXUtils.GenerateSpdxPackageId(id))
+                            .Select(id => ShouldWeKeepTheExistingId(id) ? id : CommonSPDXUtils.GenerateSpdxPackageId(id))
                             .ToList();
 
         return new GenerationResult
@@ -175,6 +183,19 @@ public GenerationResult GenerateJsonDocument(SbomPackage packageInfo)
         };
     }
 
+    private bool ShouldWeKeepTheExistingId(string spdxId)
+    {
+        switch (configuration.ManifestToolAction)
+        {
+            case ManifestToolActions.Aggregate:
+                return true;
+            case ManifestToolActions.Generate:
+                return spdxId.Equals(Constants.RootPackageIdValue, StringComparison.OrdinalIgnoreCase);
+        }
+
+        return false;
+    }
+
     public GenerationResult GenerateRootPackage(
         IInternalMetadataProvider internalMetadataProvider)
     {
@@ -338,7 +359,7 @@ private PackageVerificationCode GetPackageVerificationCode(IInternalMetadataProv
 
         var packageChecksumString = string.Concat(sha1Checksums.OrderBy(s => s));
 #pragma warning disable CA5350 // Suppress Do Not Use Weak Cryptographic Algorithms as we use SHA1 intentionally
-        var sha1Hasher = SHA1.Create();
+        var sha1Hasher = SHA1.Create(); // CodeQL [SM02196] Sha1 is required per the SPDX spec.
 #pragma warning restore CA5350
         var hashByteArray = sha1Hasher.ComputeHash(Encoding.Default.GetBytes(packageChecksumString));
 
diff --git a/src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Utils/SPDXExtensions.cs b/src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Utils/SPDXExtensions.cs
@@ -123,7 +123,7 @@ public static string AddExternalReferenceSpdxId(this SpdxExternalDocumentReferen
 
         if (checksums is null || !checksums.Any(c => c.Algorithm == AlgorithmName.SHA1))
         {
-            throw new MissingHashValueException($"The external reference {name} is missing the {HashAlgorithmName.SHA1} hash value.");
+            throw new MissingHashValueException($"The external reference {name} is missing the {HashAlgorithmName.SHA1} hash value."); // CodeQL [SM02196] Sha1 is required per the SPDX spec.
         }
 
         // Get the SHA1 for this file.
diff --git a/src/Microsoft.Sbom.Parsers.Spdx30SbomParser/Generator.cs b/src/Microsoft.Sbom.Parsers.Spdx30SbomParser/Generator.cs
@@ -654,7 +654,7 @@ private PackageVerificationCode GetPackageVerificationCode(IInternalMetadataProv
 
         var packageChecksumString = string.Concat(sha1Checksums.OrderBy(s => s));
 #pragma warning disable CA5350 // Suppress Do Not Use Weak Cryptographic Algorithms as we use SHA1 intentionally
-        var sha1Hasher = SHA1.Create();
+        var sha1Hasher = SHA1.Create(); // CodeQL [SM02196] Sha1 is required per the SPDX spec.
 #pragma warning restore CA5350
         var hashByteArray = sha1Hasher.ComputeHash(Encoding.Default.GetBytes(packageChecksumString));
 
diff --git a/src/Microsoft.Sbom.Parsers.Spdx30SbomParser/Utils/SPDXExtensions.cs b/src/Microsoft.Sbom.Parsers.Spdx30SbomParser/Utils/SPDXExtensions.cs
@@ -72,7 +72,7 @@ public static string AddExternalSpdxId(this ExternalMap reference, string name,
         var sha1checksums = checksums.Where(c => c.Algorithm == AlgorithmName.SHA1);
         if (checksums is null || !sha1checksums.Any())
         {
-            throw new MissingHashValueException($"The external reference {name} is missing the {HashAlgorithmName.SHA1} hash value.");
+            throw new MissingHashValueException($"The external reference {name} is missing the {HashAlgorithmName.SHA1} hash value."); // CodeQL [SM02196] Sha1 is required per the SPDX spec.
         }
 
         // Get the SHA1 for this file.
diff --git a/test/Microsoft.Sbom.Api.Tests/Workflows/SbomAggregationWorkflowTests.cs b/test/Microsoft.Sbom.Api.Tests/Workflows/SbomAggregationWorkflowTests.cs
@@ -1,6 +1,7 @@
 // Copyright (c) Microsoft. All rights reserved.
 // Licensed under the MIT license. See LICENSE file in the project root for full license information.
 
+using System;
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
@@ -34,6 +35,8 @@ public class SbomAggregationWorkflowTests
     private const string PathToSpdx22ManifestForArtifactKey2 = ExternalManifestDir2 + RelativePathToSpdx22Manifest;
     private const string PathToSpdx30ManifestForArtifactKey2 = ExternalManifestDir2 + RelativePathToSpdx30Manifest;
     private const string TempDirPath = "temp-dir";
+    private const string PackageId1 = "package-id-1";
+    private const string PackageId2 = "package-id-2";
 
     private Mock<ILogger> loggerMock;
     private Mock<IRecorder> recorderMock;
@@ -50,6 +53,8 @@ public class SbomAggregationWorkflowTests
     private Mock<IMetadataBuilderFactory> metadataBuilderFactoryMock;
     private SbomAggregationWorkflow testSubject;
 
+    private List<SbomPackage> actualPackageList;
+
     private Dictionary<string, ArtifactInfo> artifactInfoMapStub = new Dictionary<string, ArtifactInfo>()
     {
         { ArtifactKey1, new ArtifactInfo() { IgnoreMissingFiles = true, SkipSigningCheck = true } },
@@ -92,6 +97,8 @@ public void BeforeEachTest()
             fileSystemUtilsMock.Object,
             metadataBuilderFactoryMock.Object,
             new[] { mergeableContent22ProviderMock.Object, mergeableContent30ProviderMock.Object });
+
+        actualPackageList = null;
     }
 
     [TestCleanup]
@@ -118,7 +125,9 @@ public async Task RunAsync_ReturnsFalseOnNoArtifactInfoMapInput()
             .Returns(new ConfigurationSetting<Dictionary<string, ArtifactInfo>>(new Dictionary<string, ArtifactInfo>()));
 
         var result = await testSubject.RunAsync();
+
         Assert.IsFalse(result);
+        Assert.IsNull(actualPackageList);
     }
 
     [TestMethod]
@@ -144,7 +153,9 @@ public async Task RunAsync_ReturnsFalseOnNoValidSpdxSbomsFound()
         }
 
         var result = await testSubject.RunAsync();
+
         Assert.IsFalse(result);
+        Assert.IsNull(actualPackageList);
     }
 
     [TestMethod]
@@ -182,16 +193,21 @@ public async Task RunAsync_ReturnsFalseOnOnlySpdx30SbomsFound()
         }
 
         var result = await testSubject.RunAsync();
+
         Assert.IsFalse(result);
+        Assert.IsNull(actualPackageList);
     }
 
     [TestMethod]
     public async Task RunAsync_ReturnsFalseOnFailedValidationWorkflow()
     {
         SetUpSbomsToValidate();
         SetUpMinimalValidation(false);
+
         var result = await testSubject.RunAsync();
+
         Assert.IsFalse(result);
+        Assert.IsNull(actualPackageList);
     }
 
     [TestMethod]
@@ -212,7 +228,9 @@ public async Task RunAsync_MixOfValidAndInvalidInputSboms()
         sbomValidationWorkflowMock1.Setup(x => x.RunAsync()).ReturnsAsync(false);
 
         var result = await testSubject.RunAsync();
+
         Assert.IsFalse(result);
+        Assert.IsNull(actualPackageList);
     }
 
     [TestMethod]
@@ -226,29 +244,70 @@ public async Task RunAsync_MinimalHappyPath_CallsGenerationWorkflow(bool expecte
         SetupMinimalMergeableContentProviderMocks();
 
         var result = await testSubject.RunAsync();
+
         Assert.AreEqual(expectedResult, result);
+        ValidateActualPackageList();
     }
 
     private void SetupMinimalMergeableContentProviderMocks()
     {
-        var minimalMergeableContent = new MergeableContent(
-            new List<SbomPackage> { new SbomPackage() }, Enumerable.Empty<SbomRelationship>());
+        // mergeableContent 1 has the root package that depends on PackageId1.
+        // mergeableContent 2 has the root package that depends on PackageId2, which in turn depends on PackageId1.
+        var minimalMergeableContent1 = new MergeableContent(
+            [
+                new SbomPackage { Id = PackageId1 }
+            ],
+            Enumerable.Empty<SbomRelationship>());
+        var minimalMergeableContent2 = new MergeableContent(
+            [
+                new SbomPackage { Id = PackageId1 },
+                new SbomPackage { Id = PackageId2 }
+            ],
+            [
+                new SbomRelationship
+                {
+                    SourceElementId = PackageId2,
+                    TargetElementId = PackageId1,
+                    RelationshipType = "DEPENDS_ON"
+                }
+            ]);
+
+        MergeableContent nullMergeableContent = null;
 
         mergeableContent22ProviderMock
-            .Setup(m => m.TryGetContent(PathToSpdx22ManifestForArtifactKey1, out minimalMergeableContent))
+            .Setup(m => m.TryGetContent(PathToSpdx22ManifestForArtifactKey1, out minimalMergeableContent1))
             .Returns(true);
         mergeableContent22ProviderMock
-            .Setup(m => m.TryGetContent(PathToSpdx22ManifestForArtifactKey2, out minimalMergeableContent))
+            .Setup(m => m.TryGetContent(PathToSpdx22ManifestForArtifactKey2, out minimalMergeableContent2))
             .Returns(true);
         mergeableContent30ProviderMock
-            .Setup(m => m.TryGetContent(PathToSpdx30ManifestForArtifactKey1, out minimalMergeableContent))
-            .Returns(true);
+            .Setup(m => m.TryGetContent(PathToSpdx30ManifestForArtifactKey1, out nullMergeableContent))
+            .Returns(false);
         mergeableContent30ProviderMock
-            .Setup(m => m.TryGetContent(PathToSpdx30ManifestForArtifactKey2, out minimalMergeableContent))
-            .Returns(true);
+            .Setup(m => m.TryGetContent(PathToSpdx30ManifestForArtifactKey2, out nullMergeableContent))
+            .Returns(false);
+
+        recorderMock.Setup(m => m.RecordAggregationSource(It.IsAny<string>(), 1, 0));  // minimalMergeableContent1
+        recorderMock.Setup(m => m.RecordAggregationSource(It.IsAny<string>(), 2, 1));  // minimalMergeableContent2
+    }
+
+    private void ValidateActualPackageList()
+    {
+        Assert.IsNotNull(actualPackageList);
+        Assert.AreEqual(2, actualPackageList.Count);
+
+        // Package order is not determined, so sort it to simplify our assertions.
+        actualPackageList.Sort((x, y) => string.Compare(x.Id, y.Id, StringComparison.Ordinal));
+
+        // PackageId1 should list PackageId2 in DependOn
+        Assert.AreEqual(PackageId1, actualPackageList[0].Id);
+        Assert.IsNotNull(actualPackageList[0].DependOn);
+        Assert.AreEqual(1, actualPackageList[0].DependOn.Count);
+        Assert.AreEqual(PackageId2, actualPackageList[0].DependOn[0]);
 
-        recorderMock.Setup(m => m.RecordAggregationSource(
-            It.IsAny<string>(), 1 /* package count */, 0 /* relationship count */));
+        // PackageId2 should have a null DependOn
+        Assert.AreEqual(PackageId2, actualPackageList[1].Id);
+        Assert.IsNull(actualPackageList[1].DependOn);
     }
 
     private void SetUpSbomsToValidate()
@@ -328,7 +387,8 @@ private void SetupMinimalGenerationMocks(bool expectedResult)
         configurationMock.SetupSet(m => m.BuildComponentPath = It.IsAny<ConfigurationSetting<string>>());
         configurationMock.SetupSet(m => m.BuildDropPath = It.IsAny<ConfigurationSetting<string>>());
         configurationMock.SetupSet(m => m.ManifestInfo = It.IsAny<ConfigurationSetting<IList<ManifestInfo>>>());
-        configurationMock.SetupSet(m => m.PackagesList = It.IsAny<ConfigurationSetting<IEnumerable<SbomPackage>>>());
+        configurationMock.SetupSet(m => m.PackagesList = It.IsAny<ConfigurationSetting<IEnumerable<SbomPackage>>>())
+            .Callback<ConfigurationSetting<IEnumerable<SbomPackage>>>(c => actualPackageList = c.Value.ToList());
 
         fileSystemUtilsMock.Setup(m => m.CreateDirectory(Path.Join(TempDirPath, "aggregated-build-drop"))).Returns<DirectoryInfo>(null);
 
diff --git a/test/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests/Parser/GeneratorTests.cs b/test/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests/Parser/GeneratorTests.cs

Original file line number	Diff line number	Diff line change
`@@ -12,5 +12,5 @@ namespace Microsoft.Sbom.Api.Hashing.Algorithms;`
`12`	`12`	`#pragma warning disable CA5350 // Suppress Do Not Use Weak Cryptographic Algorithms as we use SHA1 intentionally`
`13`	`13`	`public class Sha1HashAlgorithm : IHashAlgorithm`
`14`	`14`	`{`
`15`		`- public byte[] ComputeHash(Stream stream) => SHA1.Create().ComputeHash(stream);`
	`15`	`+ public byte[] ComputeHash(Stream stream) => SHA1.Create().ComputeHash(stream); // CodeQL [SM02196] Sha1 is required per the SPDX spec.`
`16`	`16`	`}`
Original file line number	Diff line number	Diff line change
`@@ -123,7 +123,7 @@ public static string AddExternalReferenceSpdxId(this SpdxExternalDocumentReferen`
`123`	`123`
`124`	`124`	`if (checksums is null \|\| !checksums.Any(c => c.Algorithm == AlgorithmName.SHA1))`
`125`	`125`	`{`
`126`		`- throw new MissingHashValueException($"The external reference {name} is missing the {HashAlgorithmName.SHA1} hash value.");`
	`126`	`+ throw new MissingHashValueException($"The external reference {name} is missing the {HashAlgorithmName.SHA1} hash value."); // CodeQL [SM02196] Sha1 is required per the SPDX spec.`
`127`	`127`	`}`
`128`	`128`
`129`	`129`	`// Get the SHA1 for this file.`
Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,7 @@ public static string AddExternalSpdxId(this ExternalMap reference, string name,`
`72`	`72`	`var sha1checksums = checksums.Where(c => c.Algorithm == AlgorithmName.SHA1);`
`73`	`73`	`if (checksums is null \|\| !sha1checksums.Any())`
`74`	`74`	`{`
`75`		`- throw new MissingHashValueException($"The external reference {name} is missing the {HashAlgorithmName.SHA1} hash value.");`
	`75`	`+ throw new MissingHashValueException($"The external reference {name} is missing the {HashAlgorithmName.SHA1} hash value."); // CodeQL [SM02196] Sha1 is required per the SPDX spec.`
`76`	`76`	`}`
`77`	`77`
`78`	`78`	`// Get the SHA1 for this file.`