You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[the] map file I have used, which AFAIK has all options turned on, only appears to produce this sort of 'Components Chart' in the https://cyclonedx.github.io/Sunshine/ tool. Whereas another product that we have, which is not written in Delphi has a 'Components Chart' that looks like this. Would this be from a 'Deep-Evidence build' and cannot be produced from a normal map file?
Sunshine (and other CycloneDX visualizers — Dependency-Track, OWASP-DT) renders charts from the `dependencies[]` graph. DX.Comply's writer currently emits a flat star: the root project component depends on every other component, with no edges between components themselves.
```pascal
// Root dependency (project depends on all components)
LDep := TJSONObject.Create;
LDep.AddPair('ref', AProjectBomRef);
LDependsOn := TJSONArray.Create;
for I := 0 to AArtefacts.Count - 1 do
LDependsOn.Add('comp-' + IntToStr(I));
LDep.AddPair('dependsOn', LDependsOn);
```
The SBOM's content is fine — every component has its evidence, classification, and hash. But the topology is trivial, which is why Sunshine renders one root with a dense fan-out and nothing else.
Quick-win (this issue): group by category
Use information that's already in the engine's memory — no new scanning needed:
Keep the root: `project → application(exe)`.
`application(exe) → runtime packages` (DPROJ `` is already parsed by `TProjectScanner`).
`application(exe) → linked units` (the existing fan-out, just re-rooted from the project to the exe).
That alone turns the chart from a uniform star into a four-arm grouping that conveys what kind of dependency each leaf is — without parsing anything new.
Out of scope here (separate issue follows)
True transitive Unit-→-Unit edges from uses-clause traversal. The `TUsesClauseParser` already exists in the codebase, so a fuller graph is feasible later, but the quick-win above gets most of the visual improvement first.
Acceptance criteria
`bom.json` carries three to four distinct `dependencies[]` entries per project, not a single big one.
Sunshine renders a grouped chart for the AlienInvasion fixture in `docs/examples/`.
Existing CycloneDX 1.5 schema validation continues to pass (`check-jsonschema`).
Regression test in `DX.Comply.Tests.CycloneDx.Writer.pas` that asserts at least two distinct `dependsOn` parents exist when runtime packages and external-refs are present.
Related
Follow-up issue for full uses-clause-driven graph: separate ticket.
Reporter @mvandere; would be good to share an updated screenshot once this lands so we can validate before closing.
Raised by: @mvandere on #31
Sunshine (and other CycloneDX visualizers — Dependency-Track, OWASP-DT) renders charts from the `dependencies[]` graph. DX.Comply's writer currently emits a flat star: the root project component depends on every other component, with no edges between components themselves.
See `src/DX.Comply.CycloneDx.Writer.pas` — `BuildDependencies`:
```pascal
// Root dependency (project depends on all components)
LDep := TJSONObject.Create;
LDep.AddPair('ref', AProjectBomRef);
LDependsOn := TJSONArray.Create;
for I := 0 to AArtefacts.Count - 1 do
LDependsOn.Add('comp-' + IntToStr(I));
LDep.AddPair('dependsOn', LDependsOn);
```
The SBOM's content is fine — every component has its evidence, classification, and hash. But the topology is trivial, which is why Sunshine renders one root with a dense fan-out and nothing else.
Quick-win (this issue): group by category
Use information that's already in the engine's memory — no new scanning needed:
That alone turns the chart from a uniform star into a four-arm grouping that conveys what kind of dependency each leaf is — without parsing anything new.
Out of scope here (separate issue follows)
True transitive Unit-→-Unit edges from uses-clause traversal. The `TUsesClauseParser` already exists in the codebase, so a fuller graph is feasible later, but the quick-win above gets most of the visual improvement first.
Acceptance criteria
Related