Skip to content

Emit dependency info from Conan v1 lock files #3019

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 2, 2025
Merged

Emit dependency info from Conan v1 lock files #3019

merged 1 commit into from
Dec 2, 2025
+383 −31

Conversation

@Khubajsn
Copy link
Contributor

@Khubajsn Khubajsn commented Nov 30, 2025
edited
Loading

Problem Statement

When cdxgen parses conan.lock files, the resultant document's /dependencies section is left empty. This pull request adjusts processing of conan.lock files (produced by Conan v1) so that:

  • dependencies between packages from conan.lock are translated to dependencies between components in resultant SBOM file
  • root-level dependencies specified in the Conanfile (based on which the conan.lock was generated) are translated to dependencies of the automatically created parent component

Sample Output Diff

SBOM for conan.lock based on Conanfile with 3 installed packages

BCompare_M2MKmdBHWs

Summary of Changes

  1. The function parseConanLockData in lib/helpers/utils.js now returns an object of return values instead of just the package list (tried to do this in a similar way to how other package managers seem to be doing this in the same file).
  2. The execution path for processing of Conan v1 lock files is extended to:
    • in the existing/first pass through the lock file, prepare a translation map for node keys to corresponding bom-ref
    • perform a second pass once the mapping is complete to establish dependencies between components whose bom-ref is known, or for the parent component which always has a node key of "0" and which cannot be translated to a pURL
    • also report dependencies based on build_requires attribute of lock nodes, in addition to just requires
  3. The function createCppBom in lib/cli/index.js updated to accept new return type of parseConanLockData and to pipe the new outputs into the generated BOM file.
  4. Existing tests for parseConanLockData updated wrt/ new return type and new information extracted from existing test files.
  5. Existing test parse conan data extended with two new test data files.
    • conan-v1-for-reference.lock was created by running conan lock create --reference and demonstrates a lock file where all packages can be translated to a component with Conan pURL
    • conan-v1-with-nested-deps.lock was created by running conan lock create on a Conanfile with three root packages and demonstrates a lock file where the component "0" cannot be translated to a component with Conan pURL and its dependency nodes are therefore propagated to the parent component

@Khubajsn Khubajsn requested a review from prabhu as a code owner November 30, 2025 20:24
@Khubajsn
Copy link
Contributor Author

Khubajsn commented Dec 1, 2025

I realized I forgot to commit re-generated type and type maps files. However, it seems to me like master types may not be completely up to date? I suppose I could commit the target state of my branch, but not sure if that won't break something else.

@prabhu
Copy link
Collaborator

prabhu commented Dec 1, 2025

Thank you @Khubajsn for the PR! Looks very good! Do not worry about the types and map files. Happy to regenerate them once the environment looks stable.

@prabhu prabhu merged commit 05290e0 into CycloneDX:master Dec 2, 2025
71 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@prabhu prabhu prabhu approved these changes

Assignees

No one assigned

Labels

c/c++ conan

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Khubajsn @prabhu