From 716425ac2f02825c2cc098e28a42987d76d903f1 Mon Sep 17 00:00:00 2001 From: attiasas Date: Thu, 25 Dec 2025 10:12:59 +0200 Subject: [PATCH 1/2] Limit full tree size when converting from BOM --- utils/results/common.go | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/utils/results/common.go b/utils/results/common.go index 6e049b3c..feeaefdc 100644 --- a/utils/results/common.go +++ b/utils/results/common.go @@ -33,6 +33,9 @@ const ( DirectDependencyPathLength = 2 nodeModules = "node_modules" + // MaxUniqueAppearances defines the maximum number of times a dependency can appear in a dependency tree. + MaxUniqueAppearances = 10 + // #LC-LC LocationIdTemplate = "%s#L%dC%d-L%dC%d" // Applicability properties for cdx @@ -1024,10 +1027,11 @@ func BomToFullTree(sbom *cyclonedx.BOM, convertToXrayCompId bool) (fullDependenc // No dependencies or components in the SBOM, return an empty slice return } + dependencyAppearances := map[string]int8{} for _, rootEntry := range cdxutils.GetRootDependenciesEntries(sbom, false) { // Create a new GraphNode with ref as the ID, when populating the tree we need to use the ref as the ID currentTree := &xrayUtils.GraphNode{Id: rootEntry.Ref} - populateDepsNodeDataFromBom(currentTree, sbom.Dependencies) + populateDepsNodeDataFromBom(currentTree, sbom.Dependencies, dependencyAppearances) fullDependencyTrees = append(fullDependencyTrees, currentTree) } // Translate refs to Purl/Xray IDs @@ -1037,9 +1041,10 @@ func BomToFullTree(sbom *cyclonedx.BOM, convertToXrayCompId bool) (fullDependenc return } -func populateDepsNodeDataFromBom(node *xrayUtils.GraphNode, dependencies *[]cyclonedx.Dependency) { - if node == nil || node.NodeHasLoop() { - // If the node is nil or has a loop, return +func populateDepsNodeDataFromBom(node *xrayUtils.GraphNode, dependencies *[]cyclonedx.Dependency, dependencyAppearances map[string]int8) { + dependencyAppearances[node.Id]++ + if node == nil || dependencyAppearances[node.Id] >= MaxUniqueAppearances || node.NodeHasLoop() { + // If the node is nil or has a loop or appeared too many times, stop the recursion return } for _, dep := range cdxutils.GetDirectDependencies(dependencies, node.Id) { @@ -1047,7 +1052,7 @@ func populateDepsNodeDataFromBom(node *xrayUtils.GraphNode, dependencies *[]cycl // Add the dependency to the current node node.Nodes = append(node.Nodes, depNode) // Recursively populate the node data - populateDepsNodeDataFromBom(depNode, dependencies) + populateDepsNodeDataFromBom(depNode, dependencies, dependencyAppearances) } } From 44b09e78fda69db7ecd02e5dc0d7b07670209157 Mon Sep 17 00:00:00 2001 From: attiasas Date: Thu, 25 Dec 2025 10:20:36 +0200 Subject: [PATCH 2/2] fix static --- utils/results/common.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/utils/results/common.go b/utils/results/common.go index feeaefdc..5cd34e72 100644 --- a/utils/results/common.go +++ b/utils/results/common.go @@ -1042,9 +1042,12 @@ func BomToFullTree(sbom *cyclonedx.BOM, convertToXrayCompId bool) (fullDependenc } func populateDepsNodeDataFromBom(node *xrayUtils.GraphNode, dependencies *[]cyclonedx.Dependency, dependencyAppearances map[string]int8) { + if node == nil { + return + } dependencyAppearances[node.Id]++ - if node == nil || dependencyAppearances[node.Id] >= MaxUniqueAppearances || node.NodeHasLoop() { - // If the node is nil or has a loop or appeared too many times, stop the recursion + if dependencyAppearances[node.Id] >= MaxUniqueAppearances || node.NodeHasLoop() { + // If the node has a loop or appeared too many times, stop the recursion return } for _, dep := range cdxutils.GetDirectDependencies(dependencies, node.Id) {