* [Buildroot] [PATCH] utils/generate-cyclonedx: fix monotonically increasing dependency list
@ 2025-10-07 17:40 Nevo Hed via buildroot
2025-10-07 19:31 ` Nevo Hed via buildroot
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: Nevo Hed via buildroot @ 2025-10-07 17:40 UTC (permalink / raw)
To: buildroot; +Cc: Nevo Hed, Thomas Perale
From: Nevo Hed <nhed+github@starry.com>
Having mutables as default args has unexpected behaviors.
br2_parse_deps_recursively had a default arg `deps` initialized to the
empty list (`[]`) except that on subsequent calls from `main` deps would
already be populated from prior components.
---
utils/generate-cyclonedx | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx
index 60983ac1ea..7d3ef57ab3 100755
--- a/utils/generate-cyclonedx
+++ b/utils/generate-cyclonedx
@@ -238,7 +238,7 @@ def cyclonedx_vulnerabilities(show_info_dict):
} for cve, components in cves.items()]
-def br2_parse_deps_recursively(ref, show_info_dict, virtual=False, deps=[]):
+def br2_parse_deps_recursively(ref, show_info_dict, virtual=False, deps=None):
"""Parse dependencies from the show-info output. This function will
recursively collect all dependencies, and return a list where each dependency
is stated at most once.
@@ -258,6 +258,8 @@ def br2_parse_deps_recursively(ref, show_info_dict, virtual=False, deps=[]):
Returns:
list: A list of dependencies of the 'ref' package.
"""
+ if deps is None:
+ deps = []
for dep in show_info_dict.get(ref, {}).get("dependencies", []):
if dep not in deps:
if virtual or show_info_dict.get(dep, {}).get("virtual") is False:
--
2.51.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH] utils/generate-cyclonedx: fix monotonically increasing dependency list
2025-10-07 17:40 [Buildroot] [PATCH] utils/generate-cyclonedx: fix monotonically increasing dependency list Nevo Hed via buildroot
@ 2025-10-07 19:31 ` Nevo Hed via buildroot
2025-10-07 20:07 ` Thomas Perale via buildroot
` (2 subsequent siblings)
3 siblings, 0 replies; 7+ messages in thread
From: Nevo Hed via buildroot @ 2025-10-07 19:31 UTC (permalink / raw)
To: buildroot; +Cc: Thomas Perale
[-- Attachment #1.1: Type: text/plain, Size: 2974 bytes --]
Forgot to mention my reproduction details
$ python3 --version
Python 3.13.7
With attached `show-info` json
Before change:
$ utils/generate-cyclonedx < /tmp/test-show-info.json | jq -c
'.dependencies[] | [.ref, (.dependsOn|length) ]'
["buildroot",28]
["bzip2",0]
["c-ares",0]
["elfutils",2]
["expat",2]
["kmod",2]
["libarchive",4]
["libcap",4]
["libcurl",5]
["libgcrypt",6]
["libgpg-error",6]
["libopenssl",6]
["libxcrypt",6]
["libzlib",6]
["lzo",6]
["ncurses",6]
["pcre2",6]
["readline",7]
["skeleton-init-common",7]
["skeleton-init-systemd",8]
["socat",8]
["systemd",17]
["toolchain-external-custom",17]
["util-linux",19]
["util-linux-libs",19]
["vim",19]
["wget",20]
["which",20]
["xz",20]
After change:
$ utils/generate-cyclonedx < \
/tmp/test-show-info.json | \
jq -c '.dependencies[] | [.ref, (.dependsOn|length) ]'
["buildroot",28]
["bzip2",0]
["c-ares",0]
["elfutils",2]
["expat",0]
["kmod",1]
["libarchive",4]
["libcap",0]
["libcurl",1]
["libgcrypt",1]
["libgpg-error",0]
["libopenssl",0]
["libxcrypt",0]
["libzlib",0]
["lzo",0]
["ncurses",0]
["pcre2",0]
["readline",1]
["skeleton-init-common",0]
["skeleton-init-systemd",1]
["socat",0]
["systemd",15]
["toolchain-external-custom",0]
["util-linux",18]
["util-linux-libs",1]
["vim",1]
["wget",19]
["which",0]
["xz",0]
On Tue, Oct 7, 2025 at 1:40 PM Nevo Hed <nhed+buildroot@starry.com> wrote:
> From: Nevo Hed <nhed+github@starry.com>
>
> Having mutables as default args has unexpected behaviors.
> br2_parse_deps_recursively had a default arg `deps` initialized to the
> empty list (`[]`) except that on subsequent calls from `main` deps would
> already be populated from prior components.
> ---
> utils/generate-cyclonedx | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx
> index 60983ac1ea..7d3ef57ab3 100755
> --- a/utils/generate-cyclonedx
> +++ b/utils/generate-cyclonedx
> @@ -238,7 +238,7 @@ def cyclonedx_vulnerabilities(show_info_dict):
> } for cve, components in cves.items()]
>
>
> -def br2_parse_deps_recursively(ref, show_info_dict, virtual=False,
> deps=[]):
> +def br2_parse_deps_recursively(ref, show_info_dict, virtual=False,
> deps=None):
> """Parse dependencies from the show-info output. This function will
> recursively collect all dependencies, and return a list where each
> dependency
> is stated at most once.
> @@ -258,6 +258,8 @@ def br2_parse_deps_recursively(ref, show_info_dict,
> virtual=False, deps=[]):
> Returns:
> list: A list of dependencies of the 'ref' package.
> """
> + if deps is None:
> + deps = []
> for dep in show_info_dict.get(ref, {}).get("dependencies", []):
> if dep not in deps:
> if virtual or show_info_dict.get(dep, {}).get("virtual") is
> False:
> --
> 2.51.0
>
>
[-- Attachment #1.2: Type: text/html, Size: 4280 bytes --]
[-- Attachment #2: test-show-info.json --]
[-- Type: application/json, Size: 37337 bytes --]
[-- Attachment #3: Type: text/plain, Size: 150 bytes --]
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH] utils/generate-cyclonedx: fix monotonically increasing dependency list
2025-10-07 17:40 [Buildroot] [PATCH] utils/generate-cyclonedx: fix monotonically increasing dependency list Nevo Hed via buildroot
2025-10-07 19:31 ` Nevo Hed via buildroot
@ 2025-10-07 20:07 ` Thomas Perale via buildroot
2025-11-20 22:32 ` Thomas Petazzoni via buildroot
[not found] ` <20251226041452.1040838-1-nhed+github@starry.com>
3 siblings, 0 replies; 7+ messages in thread
From: Thomas Perale via buildroot @ 2025-10-07 20:07 UTC (permalink / raw)
To: Nevo Hed; +Cc: Thomas Perale, buildroot, Nevo Hed
In reply of:
> Having mutables as default args has unexpected behaviors.
> br2_parse_deps_recursively had a default arg `deps` initialized to the
> empty list (`[]`) except that on subsequent calls from `main` deps would
> already be populated from prior components.
Hi, thanks for the bug fix !
Reviewed-by: Thomas Perale <thomas.perale@mind.be>
> ---
> utils/generate-cyclonedx | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx
> index 60983ac1ea..7d3ef57ab3 100755
> --- a/utils/generate-cyclonedx
> +++ b/utils/generate-cyclonedx
> @@ -238,7 +238,7 @@ def cyclonedx_vulnerabilities(show_info_dict):
> } for cve, components in cves.items()]
>
>
> -def br2_parse_deps_recursively(ref, show_info_dict, virtual=False, deps=[]):
> +def br2_parse_deps_recursively(ref, show_info_dict, virtual=False, deps=None):
> """Parse dependencies from the show-info output. This function will
> recursively collect all dependencies, and return a list where each dependency
> is stated at most once.
> @@ -258,6 +258,8 @@ def br2_parse_deps_recursively(ref, show_info_dict, virtual=False, deps=[]):
> Returns:
> list: A list of dependencies of the 'ref' package.
> """
> + if deps is None:
> + deps = []
> for dep in show_info_dict.get(ref, {}).get("dependencies", []):
> if dep not in deps:
> if virtual or show_info_dict.get(dep, {}).get("virtual") is False:
> --
> 2.51.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH] utils/generate-cyclonedx: fix monotonically increasing dependency list
2025-10-07 17:40 [Buildroot] [PATCH] utils/generate-cyclonedx: fix monotonically increasing dependency list Nevo Hed via buildroot
2025-10-07 19:31 ` Nevo Hed via buildroot
2025-10-07 20:07 ` Thomas Perale via buildroot
@ 2025-11-20 22:32 ` Thomas Petazzoni via buildroot
2025-12-02 21:34 ` Nevo Hed via buildroot
[not found] ` <20251226041452.1040838-1-nhed+github@starry.com>
3 siblings, 1 reply; 7+ messages in thread
From: Thomas Petazzoni via buildroot @ 2025-11-20 22:32 UTC (permalink / raw)
To: Nevo Hed via buildroot; +Cc: Nevo Hed, Nevo Hed, Thomas Perale
Hello Nevo,
On Tue, 7 Oct 2025 13:40:35 -0400
Nevo Hed via buildroot <buildroot@buildroot.org> wrote:
> From: Nevo Hed <nhed+github@starry.com>
>
> Having mutables as default args has unexpected behaviors.
> br2_parse_deps_recursively had a default arg `deps` initialized to the
> empty list (`[]`) except that on subsequent calls from `main` deps would
> already be populated from prior components.
Thanks for your patch! However in order to make it applicable, we need
you to add your Signed-off-by line.
Perhaps you could send a v2 of you patch with your Signed-off-by line
and the commit log extended with the reproduction details you shared as
a reply?
Thanks a lot!
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH] utils/generate-cyclonedx: fix monotonically increasing dependency list
2025-11-20 22:32 ` Thomas Petazzoni via buildroot
@ 2025-12-02 21:34 ` Nevo Hed via buildroot
2025-12-03 7:46 ` Thomas Petazzoni via buildroot
0 siblings, 1 reply; 7+ messages in thread
From: Nevo Hed via buildroot @ 2025-12-02 21:34 UTC (permalink / raw)
To: Thomas Petazzoni; +Cc: Nevo Hed via buildroot, Thomas Perale
[-- Attachment #1.1: Type: text/plain, Size: 1314 bytes --]
Hi
Yeah sorry about that - I rarely contribute here and am very much in the
github pull-request mode
I will add that and try to reformat the v2
Just one question - do I include or drop the `Reviewed-by: Thomas Perale <
thomas.perale@mind.be>` line? (In my local repo I had updated from the
patchworks)?
Thanks
--Nevo
On Thu, Nov 20, 2025 at 5:32 PM Thomas Petazzoni <
thomas.petazzoni@bootlin.com> wrote:
> Hello Nevo,
>
> On Tue, 7 Oct 2025 13:40:35 -0400
> Nevo Hed via buildroot <buildroot@buildroot.org> wrote:
>
> > From: Nevo Hed <nhed+github@starry.com>
> >
> > Having mutables as default args has unexpected behaviors.
> > br2_parse_deps_recursively had a default arg `deps` initialized to the
> > empty list (`[]`) except that on subsequent calls from `main` deps would
> > already be populated from prior components.
>
> Thanks for your patch! However in order to make it applicable, we need
> you to add your Signed-off-by line.
>
> Perhaps you could send a v2 of you patch with your Signed-off-by line
> and the commit log extended with the reproduction details you shared as
> a reply?
>
> Thanks a lot!
>
> Thomas
> --
> Thomas Petazzoni, co-owner and CEO, Bootlin
> Embedded Linux and Kernel engineering and training
> https://bootlin.com
>
[-- Attachment #1.2: Type: text/html, Size: 2002 bytes --]
[-- Attachment #2: Type: text/plain, Size: 150 bytes --]
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH] utils/generate-cyclonedx: fix monotonically increasing dependency list
2025-12-02 21:34 ` Nevo Hed via buildroot
@ 2025-12-03 7:46 ` Thomas Petazzoni via buildroot
0 siblings, 0 replies; 7+ messages in thread
From: Thomas Petazzoni via buildroot @ 2025-12-03 7:46 UTC (permalink / raw)
To: Nevo Hed; +Cc: Nevo Hed via buildroot, Thomas Perale
On Tue, 2 Dec 2025 16:34:55 -0500
Nevo Hed <nhed+buildroot@starry.com> wrote:
> Yeah sorry about that - I rarely contribute here and am very much in the
> github pull-request mode
No worries!
>
> I will add that and try to reformat the v2
>
> Just one question - do I include or drop the `Reviewed-by: Thomas Perale <
> thomas.perale@mind.be>` line? (In my local repo I had updated from the
> patchworks)?
If you got a reviewed-by, and didn't make any substantial change, yes,
please carry the reviewed-by in your next iteration.
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH v2 1/1] utils/generate-cyclonedx: fix monotonically increasing dependency list
[not found] ` <20251226041452.1040838-2-nhed+github@starry.com>
@ 2025-12-26 19:55 ` Nevo Hed via buildroot
0 siblings, 0 replies; 7+ messages in thread
From: Nevo Hed via buildroot @ 2025-12-26 19:55 UTC (permalink / raw)
To: buildroot; +Cc: Thomas Perale, Thomas Petazzoni
[-- Attachment #1.1: Type: text/plain, Size: 3498 bytes --]
I sent an updated patch last night and not seeing it in patchworks
Not sure what I did wrong or if there are issues with patchworks (I did
experience non-responsiveness today)
On Thu, Dec 25, 2025 at 11:15 PM Nevo Hed <nhed@starry.com> wrote:
> From: Nevo Hed <nhed+buildroot@starry.com>
>
> Having mutables as default args has unexpected behaviors.
> br2_parse_deps_recursively had a default arg `deps` initialized to the
> empty list (`[]`) except that on subsequent calls from `main` deps would
> already be populated from prior components.
>
> Reproduction details:
>
> $ python3 --version
> Python 3.13.7
>
> Run this script which
> - Emits a very reduced set of a very theoretical `make show-info`.
> - Runs utils/generate-cyclonedx on that set as input.
> - Reduces the generate-cyclonedx output to pairs of component name
> and dependencies for that component.
>
> ---
> function dummy_json_input {
> echo '{
> "systemd": {
> "type": "target",
> "name": "systemd",
> "virtual": false,
> "version": "256.7",
> "dependencies": [
> "bzip2"
> ]
> },
> "bzip2": {
> "type": "target",
> "name": "bzip2",
> "virtual": false,
> "version": "1.0.8"
> },
> "util-linux": {
> "type": "target",
> "name": "util-linux",
> "virtual": false,
> "version": "2.40.2",
> "dependencies": [
> "systemd"
> ]
> }
> }'
> }
>
> dummy_json_input | \
> utils/generate-cyclonedx | \
> jq -c '.dependencies[] | [.ref, (.dependsOn|length) ]'
> ---
>
> Output before change:
> ["buildroot",3]
> ["systemd",1]
> ["bzip2",1]
> ["util-linux",2]
>
> Output after change:
> ["buildroot",3]
> ["systemd",1]
> ["bzip2",0]
> ["util-linux",2]
>
> We can see in the "before" that the number of dependencies is
> monotonically increasing - specifically the bzip2 input is listed
> without dependencies but sows as having dependencies in the output.
> The "after" output shows 0 dependencoes for that component.
>
> Reviewed-by: Thomas Perale <thomas.perale@mind.be>
> Signed-off-by: Nevo Hed <nhed+buildroot@starry.com>
> ---
> utils/generate-cyclonedx | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx
> index a103b7b707..9d5451793d 100755
> --- a/utils/generate-cyclonedx
> +++ b/utils/generate-cyclonedx
> @@ -337,7 +337,7 @@ def cyclonedx_vulnerabilities(show_info_dict):
> } for cve, components in cves.items()]
>
>
> -def br2_parse_deps_recursively(ref, show_info_dict, virtual=False,
> deps=[]):
> +def br2_parse_deps_recursively(ref, show_info_dict, virtual=False,
> deps=None):
> """Parse dependencies from the show-info output. This function will
> recursively collect all dependencies, and return a list where each
> dependency
> is stated at most once.
> @@ -357,6 +357,8 @@ def br2_parse_deps_recursively(ref, show_info_dict,
> virtual=False, deps=[]):
> Returns:
> list: A list of dependencies of the 'ref' package.
> """
> + if deps is None:
> + deps = []
> for dep in show_info_dict.get(ref, {}).get("dependencies", []):
> if dep not in deps:
> if virtual or show_info_dict.get(dep, {}).get("virtual") is
> False:
> --
> 2.51.0
>
>
[-- Attachment #1.2: Type: text/html, Size: 4826 bytes --]
[-- Attachment #2: Type: text/plain, Size: 150 bytes --]
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2025-12-26 19:56 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-07 17:40 [Buildroot] [PATCH] utils/generate-cyclonedx: fix monotonically increasing dependency list Nevo Hed via buildroot
2025-10-07 19:31 ` Nevo Hed via buildroot
2025-10-07 20:07 ` Thomas Perale via buildroot
2025-11-20 22:32 ` Thomas Petazzoni via buildroot
2025-12-02 21:34 ` Nevo Hed via buildroot
2025-12-03 7:46 ` Thomas Petazzoni via buildroot
[not found] ` <20251226041452.1040838-1-nhed+github@starry.com>
[not found] ` <20251226041452.1040838-2-nhed+github@starry.com>
2025-12-26 19:55 ` [Buildroot] [PATCH v2 1/1] " Nevo Hed via buildroot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.