Make POM.xml transitive dependency extractions a graph

PiperOrigin-RevId: 921774138

Author: rpbeltran

binary/proto/inventory_test.go

@@ -116,6 +116,8 @@ func TestInventoryToProto(t *testing.T) {
 			opts = []cmp.Option{
 				protocmp.Transform(),
 				cmpopts.IgnoreFields(extractor.LayerMetadata{}, "ParentContainer"),
+				cmpopts.IgnoreFields(extractor.Package{}, "ParentIDs"),
+				cmpopts.IgnoreFields(extractor.Package{}, "ID"),
 			}
 			if diff := cmp.Diff(tc.inv, gotInv, opts...); diff != "" {
 				t.Errorf("InventoryToStruct(%v) returned diff (-want +got):\n%s", gotInv, diff)
@@ -253,6 +255,8 @@ func TestInventoryToStruct(t *testing.T) {
 			opts := []cmp.Option{
 				protocmp.Transform(),
 				cmpopts.IgnoreFields(extractor.LayerMetadata{}, "ParentContainer"),
+				cmpopts.IgnoreFields(extractor.Package{}, "ParentIDs"),
+				cmpopts.IgnoreFields(extractor.Package{}, "ID"),
 				cmpopts.EquateEmpty(),
 			}
 			if diff := cmp.Diff(tc.want, got, opts...); diff != "" {
@@ -304,8 +308,10 @@ func TestInventoryToStructInvalidPkgVuln(t *testing.T) {
 				PackageVulns: []*pb.PackageVuln{{PackageId: "pkg"}},
 			},
 			want: &inventory.Inventory{
-				Packages:     []*extractor.Package{{Name: "pkg1"}, {Name: "pkg2"}},
-				PackageVulns: []*inventory.PackageVuln{{Package: &extractor.Package{Name: "pkg1"}}},
+				Packages: []*extractor.Package{
+					{Name: "pkg1", ID: "pkg"},
+					{Name: "pkg2", ID: "pkg"}},
+				PackageVulns: []*inventory.PackageVuln{{Package: &extractor.Package{Name: "pkg1", ID: "pkg"}}},
 			},
 		},
 		{
@@ -320,7 +326,7 @@ func TestInventoryToStructInvalidPkgVuln(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.desc, func(t *testing.T) {
 			got := proto.InventoryToStruct(tc.inv)
-			if diff := cmp.Diff(tc.want, got, cmpopts.IgnoreFields(extractor.LayerMetadata{}, "ParentContainer"), protocmp.Transform()); diff != "" {
+			if diff := cmp.Diff(tc.want, got, cmpopts.IgnoreFields(extractor.LayerMetadata{}, "ParentContainer"), cmpopts.IgnoreFields(extractor.Package{}, "ParentIDs"), protocmp.Transform()); diff != "" {
 				t.Fatalf("InventoryToStruct(%v) returned diff (-want +got):\n%s", tc.inv, diff)
 			}
 		})

binary/proto/package.go

@@ -16,6 +16,7 @@ package proto
 
 import (
 	"fmt"
+	"sort"
 
 	"github.com/google/osv-scalibr/binary/proto/metadata"
 	"github.com/google/osv-scalibr/converter"
@@ -25,7 +26,6 @@ import (
 	"github.com/google/osv-scalibr/log"
 	"github.com/google/osv-scalibr/purl"
 	"github.com/google/osv-scalibr/purl/purlproto"
-	"github.com/google/uuid"
 	"google.golang.org/protobuf/reflect/protoreflect"
 
 	spb "github.com/google/osv-scalibr/binary/proto/scan_result_go_proto"
@@ -65,13 +65,20 @@ func PackageToProto(pkg *extractor.Package) (*spb.Package, error) {
 		}
 	}
 
-	id, err := uuid.NewRandom()
+	id, err := pkg.GetIDOrGenerate(&extractor.RandomIDGenerator{})
 	if err != nil {
-		return nil, fmt.Errorf("failed to generate UUID for %q package %q version %q: %w", pkg.Ecosystem().String(), pkg.Name, pkg.Version, err)
+		return nil, err
+	}
+
+	var parentIDs []string
+	for parent := range pkg.ParentIDs {
+		parentIDs = append(parentIDs, parent)
 	}
+	sort.Strings(parentIDs)
 
 	packageProto := &spb.Package{
-		Id:         id.String(),
+		Id:         id,
+		ParentIds:  parentIDs,
 		Name:       pkg.Name,
 		Version:    pkg.Version,
 		SourceCode: sourceCodeIdentifierToProto(pkg.SourceCode),
@@ -194,8 +201,16 @@ func PackageToStruct(pkgProto *spb.Package) (*extractor.Package, error) {
 	if err != nil {
 		return nil, err
 	}
+
+	parentIDs := make(map[string]bool)
+	for _, id := range pkgProto.GetParentIds() {
+		parentIDs[id] = true
+	}
+
 	pkg := &extractor.Package{
 		Name:                  pkgProto.GetName(),
+		ID:                    pkgProto.GetId(),
+		ParentIDs:             parentIDs,
 		Version:               pkgProto.GetVersion(),
 		SourceCode:            sourceCodeIdentifierToStruct(pkgProto.GetSourceCode()),
 		Location:              packageLocationToStruct(pkgProto.GetLocation()),

binary/proto/package_test.go

@@ -21,6 +21,7 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/osv-scalibr/binary/proto"
 	"github.com/google/osv-scalibr/extractor"
+	"github.com/google/osv-scalibr/purl"
 	"google.golang.org/protobuf/testing/protocmp"
 
 	spb "github.com/google/osv-scalibr/binary/proto/scan_result_go_proto"
@@ -33,6 +34,34 @@ var (
 	}
 )
 
+func exampleTransitiveDependencyPackage() *extractor.Package {
+	return &extractor.Package{
+		Name:      "transitive_package",
+		ParentIDs: map[string]bool{"parent_1": true, "parent_2": true},
+		Version:   "1.0.0",
+		PURLType:  purl.TypePyPi,
+		Location:  extractor.LocationFromPath("/file1"),
+		Plugins:   []string{"extractor_name"},
+	}
+}
+
+func exampleTransitiveDependencyPackageProto() *spb.Package {
+	return &spb.Package{
+		Name:      "transitive_package",
+		Version:   "1.0.0",
+		Ecosystem: "PyPI",
+		Location:  pkgLocProtoFromPath("/file1"),
+		Plugins:   []string{"extractor_name"},
+		ParentIds: []string{"parent_1", "parent_2"},
+		Purl: &spb.Purl{
+			Purl:    "pkg:pypi/transitive-package@1.0.0",
+			Type:    "pypi",
+			Name:    "transitive-package",
+			Version: "1.0.0",
+		},
+	}
+}
+
 func TestPackageToProto(t *testing.T) {
 	testCases := []struct {
 		desc    string
@@ -50,6 +79,11 @@ func TestPackageToProto(t *testing.T) {
 			pkg:  PurlDPKGAnnotationPackage(),
 			want: PurlDPKGAnnotationPackageProto(t),
 		},
+		{
+			desc: "transitive_dependency",
+			pkg:  exampleTransitiveDependencyPackage(),
+			want: exampleTransitiveDependencyPackageProto(),
+		},
 	}
 
 	for _, tc := range testCases {
@@ -107,6 +141,11 @@ func TestPackageToStruct(t *testing.T) {
 			pkg:  PurlDPKGAnnotationPackageProto(t),
 			want: PurlDPKGAnnotationPackage(),
 		},
+		{
+			desc: "transitive_dependency",
+			pkg:  exampleTransitiveDependencyPackageProto(),
+			want: exampleTransitiveDependencyPackage(),
+		},
 	}
 
 	for _, tc := range testCases {

binary/proto/result_test.go

@@ -92,6 +92,7 @@ func PurlDPKGAnnotationPackage() *extractor.Package {
 			Justification:   vex.ComponentNotPresent,
 			MatchesAllVulns: true,
 		}},
+		ParentIDs: map[string]bool{},
 	}
 }
 
@@ -1668,6 +1669,10 @@ func TestScanResultToProtoAndBack(t *testing.T) {
 			}
 
 			gotInv := proto.InventoryToStruct(invProto)
+			// Ignore package ID fields because it is randomly generated.
+			for _, pkg := range gotInv.Packages {
+				pkg.ID = ""
+			}
 			if diff := cmp.Diff(tc.res.Inventory, *gotInv, opts...); diff != "" {
 				t.Errorf("proto.InventoryToStruct(%v) returned unexpected diff (-want +got):\n%s", invProto, diff)
 			}

binary/proto/scan_result.proto

@@ -170,6 +170,9 @@ message Package {
   }
 
   optional ContainerImageMetadataIndexes container_image_metadata_indexes = 57;
+
+  // The ID of the parent package, if this package is a transitive dependency.
+  repeated string parent_ids = 70;
 }
 
 // Paths or source of files related to an extracted package.

binary/proto/scan_result_go_proto/scan_result.pb.go

@@ -16,8 +16,10 @@
 package internal
 
 import (
+	"fmt"
 	"slices"
 
+	"deps.dev/util/resolve"
 	"github.com/google/osv-scalibr/extractor"
 	"github.com/google/osv-scalibr/inventory"
 	"github.com/google/osv-scalibr/log"
@@ -56,13 +58,69 @@ func Add(enrichedPkgs []*extractor.Package, inv *inventory.Inventory, pluginName
 	for _, pkg := range enrichedPkgs {
 		indexPkg, ok := existingPackages[pkg.Name]
 		if ok {
-			// This dependency is in manifest, update the version and plugins.
+			// This dependency is in manifest, update the version, plugins and parent IDs.
 			i := indexPkg.Index
 			inv.Packages[i].Version = pkg.Version
 			inv.Packages[i].Plugins = append(inv.Packages[i].Plugins, pluginName)
+
+			if len(pkg.ParentIDs) > 0 && inv.Packages[i].ParentIDs == nil {
+				inv.Packages[i].ParentIDs = make(map[string]bool)
+			}
+
+			for parentID := range pkg.ParentIDs {
+				inv.Packages[i].ParentIDs[parentID] = true
+			}
 		} else {
 			// This dependency is not found in manifest, so it's a transitive dependency.
 			inv.Packages = append(inv.Packages, pkg)
 		}
 	}
 }
+
+// GetNameToIDMapping returns a mapping of package name to package ID for a given list of packages
+// and a dependency graph. Known packages without IDs will have IDs added using the ID generator.
+func GetNameToIDMapping(g *resolve.Graph, packages []*extractor.Package, idGenerator extractor.IDGenerator) (map[string]string, error) {
+	nameToID := make(map[string]string)
+	for _, pkg := range packages {
+		id, err := pkg.RequireID(idGenerator)
+		if err != nil {
+			return nil, err
+		}
+		nameToID[pkg.Name] = id
+	}
+
+	for i := 1; i < len(g.Nodes); i++ {
+		node := g.Nodes[i]
+		if _, ok := nameToID[node.Version.Name]; !ok {
+			id, err := idGenerator.GenerateID(node.Version.Name)
+			if err != nil {
+				return nil, fmt.Errorf("failed to generate random UUID: %w", err)
+			}
+			nameToID[node.Version.Name] = id
+		}
+	}
+	return nameToID, nil
+}
+
+// GetParentIDs returns the set of parent IDs for a node in a dependency graph.
+func GetParentIDs(g *resolve.Graph, nameToID map[string]string, nodeID resolve.NodeID) (map[string]bool, error) {
+	parents := make(map[string]bool)
+	for _, edge := range g.Edges {
+		if edge.To == nodeID {
+			if int(edge.From) >= len(g.Nodes) {
+				return nil, fmt.Errorf("parent id %v is out of range for nodes (length %v)", edge.From, len(g.Nodes))
+			}
+			if edge.From == 0 {
+				parents["root"] = true
+				continue
+			}
+			parentPkgName := g.Nodes[edge.From].Version.Name
+			parentPkgID, ok := nameToID[parentPkgName]
+			if !ok {
+				return nil, fmt.Errorf("parent package %q not found in known packages", parentPkgName)
+			}
+			parents[parentPkgID] = true
+		}
+	}
+	return parents, nil
+}