Prefer bom-link format for ml profile

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
CycloneDX · Nov 12, 2024 · bfd5581 · bfd5581
1 parent ccdbfa3
commit bfd5581
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 5 deletions.
diff --git a/lib/stages/postgen/postgen.js b/lib/stages/postgen/postgen.js
@@ -302,14 +302,22 @@ export function annotate(bomJson, options) {
   if (!cdxgenAnnotator.length) {
     return bomJson;
   }
-  const requiresContextTrimming = ["machine-learning", "ml"].includes(
+  const requiresContextTuning = ["machine-learning", "ml"].includes(
     options?.profile,
   );
+  // Construct the bom-link prefix to use for context tuning
+  const bomLinkPrefix = `${bomJson.serialNumber}/${bomJson.version}/`;
   const metadataAnnotations = textualMetadata(bomJson);
-  if (metadataAnnotations && bomJson.metadata?.component?.["bom-ref"]) {
+  let parentBomRef;
+  if (requiresContextTuning && bomJson.metadata?.component?.["bom-ref"]) {
+    bomJson.metadata.component["bom-ref"] =
+      `${bomLinkPrefix}${bomJson.metadata.component["bom-ref"]}`;
+    parentBomRef = bomJson.metadata.component["bom-ref"];
+  }
+  if (metadataAnnotations && parentBomRef) {
     bomAnnotations.push({
       "bom-ref": "metadata-annotations",
-      subjects: [bomJson.metadata.component["bom-ref"]],
+      subjects: [parentBomRef],
       annotator: {
         component: cdxgenAnnotator[0],
       },
@@ -324,10 +332,30 @@ export function annotate(bomJson, options) {
     if (tags?.length) {
       comp.tags = tags;
     }
-    if (requiresContextTrimming) {
+    if (requiresContextTuning) {
+      comp["bom-ref"] = `${bomLinkPrefix}${comp["bom-ref"]}`;
       comp.description = undefined;
       comp.properties = undefined;
     }
   }
+  // Problem: information such as the dependency tree are specific to an sbom
+  // To prevent the models from incorrectly learning about the trees, we automatically convert all bom-ref
+  // references to [bom-link](https://cyclonedx.org/capabilities/bomlink/) format
+  if (requiresContextTuning && bomJson?.dependencies?.length) {
+    const newDeps = [];
+    for (const dep of bomJson.dependencies) {
+      const newRef = `${bomLinkPrefix}${dep.ref}`;
+      const newDependsOn = [];
+      for (const adon of dep.dependsOn) {
+        newDependsOn.push(`${bomLinkPrefix}${adon}`);
+      }
+      newDeps.push({
+        ref: newRef,
+        dependsOn: newDependsOn.sort(),
+      });
+    }
+    // Overwrite the dependencies
+    bomJson.dependencies = newDeps;
+  }
   return bomJson;
 }
diff --git a/types/lib/stages/postgen/postgen.d.ts.map b/types/lib/stages/postgen/postgen.d.ts.map