* [Buildroot] [PATCH] utils/generate-cyclonedx: fix monotonically increasing dependency list
@ 2025-10-07 17:40 Nevo Hed via buildroot
2025-10-07 19:31 ` Nevo Hed via buildroot
` (3 more replies)
0 siblings, 4 replies; 7+ messages in thread
From: Nevo Hed via buildroot @ 2025-10-07 17:40 UTC (permalink / raw)
To: buildroot; +Cc: Nevo Hed, Thomas Perale
From: Nevo Hed <nhed+github@starry.com>
Having mutables as default args has unexpected behaviors.
br2_parse_deps_recursively had a default arg `deps` initialized to the
empty list (`[]`) except that on subsequent calls from `main` deps would
already be populated from prior components.
---
utils/generate-cyclonedx | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx
index 60983ac1ea..7d3ef57ab3 100755
--- a/utils/generate-cyclonedx
+++ b/utils/generate-cyclonedx
@@ -238,7 +238,7 @@ def cyclonedx_vulnerabilities(show_info_dict):
} for cve, components in cves.items()]
-def br2_parse_deps_recursively(ref, show_info_dict, virtual=False, deps=[]):
+def br2_parse_deps_recursively(ref, show_info_dict, virtual=False, deps=None):
"""Parse dependencies from the show-info output. This function will
recursively collect all dependencies, and return a list where each dependency
is stated at most once.
@@ -258,6 +258,8 @@ def br2_parse_deps_recursively(ref, show_info_dict, virtual=False, deps=[]):
Returns:
list: A list of dependencies of the 'ref' package.
"""
+ if deps is None:
+ deps = []
for dep in show_info_dict.get(ref, {}).get("dependencies", []):
if dep not in deps:
if virtual or show_info_dict.get(dep, {}).get("virtual") is False:
--
2.51.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH] utils/generate-cyclonedx: fix monotonically increasing dependency list
2025-10-07 17:40 [Buildroot] [PATCH] utils/generate-cyclonedx: fix monotonically increasing dependency list Nevo Hed via buildroot
@ 2025-10-07 19:31 ` Nevo Hed via buildroot
2025-10-07 20:07 ` Thomas Perale via buildroot
` (2 subsequent siblings)
3 siblings, 0 replies; 7+ messages in thread
From: Nevo Hed via buildroot @ 2025-10-07 19:31 UTC (permalink / raw)
To: buildroot; +Cc: Thomas Perale
[-- Attachment #1.1: Type: text/plain, Size: 2974 bytes --]
Forgot to mention my reproduction details
$ python3 --version
Python 3.13.7
With attached `show-info` json
Before change:
$ utils/generate-cyclonedx < /tmp/test-show-info.json | jq -c
'.dependencies[] | [.ref, (.dependsOn|length) ]'
["buildroot",28]
["bzip2",0]
["c-ares",0]
["elfutils",2]
["expat",2]
["kmod",2]
["libarchive",4]
["libcap",4]
["libcurl",5]
["libgcrypt",6]
["libgpg-error",6]
["libopenssl",6]
["libxcrypt",6]
["libzlib",6]
["lzo",6]
["ncurses",6]
["pcre2",6]
["readline",7]
["skeleton-init-common",7]
["skeleton-init-systemd",8]
["socat",8]
["systemd",17]
["toolchain-external-custom",17]
["util-linux",19]
["util-linux-libs",19]
["vim",19]
["wget",20]
["which",20]
["xz",20]
After change:
$ utils/generate-cyclonedx < \
/tmp/test-show-info.json | \
jq -c '.dependencies[] | [.ref, (.dependsOn|length) ]'
["buildroot",28]
["bzip2",0]
["c-ares",0]
["elfutils",2]
["expat",0]
["kmod",1]
["libarchive",4]
["libcap",0]
["libcurl",1]
["libgcrypt",1]
["libgpg-error",0]
["libopenssl",0]
["libxcrypt",0]
["libzlib",0]
["lzo",0]
["ncurses",0]
["pcre2",0]
["readline",1]
["skeleton-init-common",0]
["skeleton-init-systemd",1]
["socat",0]
["systemd",15]
["toolchain-external-custom",0]
["util-linux",18]
["util-linux-libs",1]
["vim",1]
["wget",19]
["which",0]
["xz",0]
On Tue, Oct 7, 2025 at 1:40 PM Nevo Hed <nhed+buildroot@starry.com> wrote:
> From: Nevo Hed <nhed+github@starry.com>
>
> Having mutables as default args has unexpected behaviors.
> br2_parse_deps_recursively had a default arg `deps` initialized to the
> empty list (`[]`) except that on subsequent calls from `main` deps would
> already be populated from prior components.
> ---
> utils/generate-cyclonedx | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx
> index 60983ac1ea..7d3ef57ab3 100755
> --- a/utils/generate-cyclonedx
> +++ b/utils/generate-cyclonedx
> @@ -238,7 +238,7 @@ def cyclonedx_vulnerabilities(show_info_dict):
> } for cve, components in cves.items()]
>
>
> -def br2_parse_deps_recursively(ref, show_info_dict, virtual=False,
> deps=[]):
> +def br2_parse_deps_recursively(ref, show_info_dict, virtual=False,
> deps=None):
> """Parse dependencies from the show-info output. This function will
> recursively collect all dependencies, and return a list where each
> dependency
> is stated at most once.
> @@ -258,6 +258,8 @@ def br2_parse_deps_recursively(ref, show_info_dict,
> virtual=False, deps=[]):
> Returns:
> list: A list of dependencies of the 'ref' package.
> """
> + if deps is None:
> + deps = []
> for dep in show_info_dict.get(ref, {}).get("dependencies", []):
> if dep not in deps:
> if virtual or show_info_dict.get(dep, {}).get("virtual") is
> False:
> --
> 2.51.0
>
>
[-- Attachment #1.2: Type: text/html, Size: 4280 bytes --]
[-- Attachment #2: test-show-info.json --]
[-- Type: application/json, Size: 37337 bytes --]
[-- Attachment #3: Type: text/plain, Size: 150 bytes --]
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH] utils/generate-cyclonedx: fix monotonically increasing dependency list
2025-10-07 17:40 [Buildroot] [PATCH] utils/generate-cyclonedx: fix monotonically increasing dependency list Nevo Hed via buildroot
2025-10-07 19:31 ` Nevo Hed via buildroot
@ 2025-10-07 20:07 ` Thomas Perale via buildroot
2025-11-20 22:32 ` Thomas Petazzoni via buildroot
[not found] ` <20251226041452.1040838-1-nhed+github@starry.com>
3 siblings, 0 replies; 7+ messages in thread
From: Thomas Perale via buildroot @ 2025-10-07 20:07 UTC (permalink / raw)
To: Nevo Hed; +Cc: Thomas Perale, buildroot, Nevo Hed
In reply of:
> Having mutables as default args has unexpected behaviors.
> br2_parse_deps_recursively had a default arg `deps` initialized to the
> empty list (`[]`) except that on subsequent calls from `main` deps would
> already be populated from prior components.
Hi, thanks for the bug fix !
Reviewed-by: Thomas Perale <thomas.perale@mind.be>
> ---
> utils/generate-cyclonedx | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx
> index 60983ac1ea..7d3ef57ab3 100755
> --- a/utils/generate-cyclonedx
> +++ b/utils/generate-cyclonedx
> @@ -238,7 +238,7 @@ def cyclonedx_vulnerabilities(show_info_dict):
> } for cve, components in cves.items()]
>
>
> -def br2_parse_deps_recursively(ref, show_info_dict, virtual=False, deps=[]):
> +def br2_parse_deps_recursively(ref, show_info_dict, virtual=False, deps=None):
> """Parse dependencies from the show-info output. This function will
> recursively collect all dependencies, and return a list where each dependency
> is stated at most once.
> @@ -258,6 +258,8 @@ def br2_parse_deps_recursively(ref, show_info_dict, virtual=False, deps=[]):
> Returns:
> list: A list of dependencies of the 'ref' package.
> """
> + if deps is None:
> + deps = []
> for dep in show_info_dict.get(ref, {}).get("dependencies", []):
> if dep not in deps:
> if virtual or show_info_dict.get(dep, {}).get("virtual") is False:
> --
> 2.51.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH] utils/generate-cyclonedx: fix monotonically increasing dependency list
2025-10-07 17:40 [Buildroot] [PATCH] utils/generate-cyclonedx: fix monotonically increasing dependency list Nevo Hed via buildroot
2025-10-07 19:31 ` Nevo Hed via buildroot
2025-10-07 20:07 ` Thomas Perale via buildroot
@ 2025-11-20 22:32 ` Thomas Petazzoni via buildroot
2025-12-02 21:34 ` Nevo Hed via buildroot
[not found] ` <20251226041452.1040838-1-nhed+github@starry.com>
3 siblings, 1 reply; 7+ messages in thread
From: Thomas Petazzoni via buildroot @ 2025-11-20 22:32 UTC (permalink / raw)
To: Nevo Hed via buildroot; +Cc: Nevo Hed, Nevo Hed, Thomas Perale
Hello Nevo,
On Tue, 7 Oct 2025 13:40:35 -0400
Nevo Hed via buildroot <buildroot@buildroot.org> wrote:
> From: Nevo Hed <nhed+github@starry.com>
>
> Having mutables as default args has unexpected behaviors.
> br2_parse_deps_recursively had a default arg `deps` initialized to the
> empty list (`[]`) except that on subsequent calls from `main` deps would
> already be populated from prior components.
Thanks for your patch! However in order to make it applicable, we need
you to add your Signed-off-by line.
Perhaps you could send a v2 of you patch with your Signed-off-by line
and the commit log extended with the reproduction details you shared as
a reply?
Thanks a lot!
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH] utils/generate-cyclonedx: fix monotonically increasing dependency list
2025-11-20 22:32 ` Thomas Petazzoni via buildroot
@ 2025-12-02 21:34 ` Nevo Hed via buildroot
2025-12-03 7:46 ` Thomas Petazzoni via buildroot
0 siblings, 1 reply; 7+ messages in thread
From: Nevo Hed via buildroot @ 2025-12-02 21:34 UTC (permalink / raw)
To: Thomas Petazzoni; +Cc: Nevo Hed via buildroot, Thomas Perale
[-- Attachment #1.1: Type: text/plain, Size: 1314 bytes --]
Hi
Yeah sorry about that - I rarely contribute here and am very much in the
github pull-request mode
I will add that and try to reformat the v2
Just one question - do I include or drop the `Reviewed-by: Thomas Perale <
thomas.perale@mind.be>` line? (In my local repo I had updated from the
patchworks)?
Thanks
--Nevo
On Thu, Nov 20, 2025 at 5:32 PM Thomas Petazzoni <
thomas.petazzoni@bootlin.com> wrote:
> Hello Nevo,
>
> On Tue, 7 Oct 2025 13:40:35 -0400
> Nevo Hed via buildroot <buildroot@buildroot.org> wrote:
>
> > From: Nevo Hed <nhed+github@starry.com>
> >
> > Having mutables as default args has unexpected behaviors.
> > br2_parse_deps_recursively had a default arg `deps` initialized to the
> > empty list (`[]`) except that on subsequent calls from `main` deps would
> > already be populated from prior components.
>
> Thanks for your patch! However in order to make it applicable, we need
> you to add your Signed-off-by line.
>
> Perhaps you could send a v2 of you patch with your Signed-off-by line
> and the commit log extended with the reproduction details you shared as
> a reply?
>
> Thanks a lot!
>
> Thomas
> --
> Thomas Petazzoni, co-owner and CEO, Bootlin
> Embedded Linux and Kernel engineering and training
> https://bootlin.com
>
[-- Attachment #1.2: Type: text/html, Size: 2002 bytes --]
[-- Attachment #2: Type: text/plain, Size: 150 bytes --]
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH] utils/generate-cyclonedx: fix monotonically increasing dependency list
2025-12-02 21:34 ` Nevo Hed via buildroot
@ 2025-12-03 7:46 ` Thomas Petazzoni via buildroot
0 siblings, 0 replies; 7+ messages in thread
From: Thomas Petazzoni via buildroot @ 2025-12-03 7:46 UTC (permalink / raw)
To: Nevo Hed; +Cc: Nevo Hed via buildroot, Thomas Perale
On Tue, 2 Dec 2025 16:34:55 -0500
Nevo Hed <nhed+buildroot@starry.com> wrote:
> Yeah sorry about that - I rarely contribute here and am very much in the
> github pull-request mode
No worries!
>
> I will add that and try to reformat the v2
>
> Just one question - do I include or drop the `Reviewed-by: Thomas Perale <
> thomas.perale@mind.be>` line? (In my local repo I had updated from the
> patchworks)?
If you got a reviewed-by, and didn't make any substantial change, yes,
please carry the reviewed-by in your next iteration.
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [Buildroot] [PATCH v2 1/1] utils/generate-cyclonedx: fix monotonically increasing dependency list
[not found] ` <20251226041452.1040838-2-nhed+github@starry.com>
@ 2025-12-26 19:55 ` Nevo Hed via buildroot
0 siblings, 0 replies; 7+ messages in thread
From: Nevo Hed via buildroot @ 2025-12-26 19:55 UTC (permalink / raw)
To: buildroot; +Cc: Thomas Perale, Thomas Petazzoni
[-- Attachment #1.1: Type: text/plain, Size: 3498 bytes --]
I sent an updated patch last night and not seeing it in patchworks
Not sure what I did wrong or if there are issues with patchworks (I did
experience non-responsiveness today)
On Thu, Dec 25, 2025 at 11:15 PM Nevo Hed <nhed@starry.com> wrote:
> From: Nevo Hed <nhed+buildroot@starry.com>
>
> Having mutables as default args has unexpected behaviors.
> br2_parse_deps_recursively had a default arg `deps` initialized to the
> empty list (`[]`) except that on subsequent calls from `main` deps would
> already be populated from prior components.
>
> Reproduction details:
>
> $ python3 --version
> Python 3.13.7
>
> Run this script which
> - Emits a very reduced set of a very theoretical `make show-info`.
> - Runs utils/generate-cyclonedx on that set as input.
> - Reduces the generate-cyclonedx output to pairs of component name
> and dependencies for that component.
>
> ---
> function dummy_json_input {
> echo '{
> "systemd": {
> "type": "target",
> "name": "systemd",
> "virtual": false,
> "version": "256.7",
> "dependencies": [
> "bzip2"
> ]
> },
> "bzip2": {
> "type": "target",
> "name": "bzip2",
> "virtual": false,
> "version": "1.0.8"
> },
> "util-linux": {
> "type": "target",
> "name": "util-linux",
> "virtual": false,
> "version": "2.40.2",
> "dependencies": [
> "systemd"
> ]
> }
> }'
> }
>
> dummy_json_input | \
> utils/generate-cyclonedx | \
> jq -c '.dependencies[] | [.ref, (.dependsOn|length) ]'
> ---
>
> Output before change:
> ["buildroot",3]
> ["systemd",1]
> ["bzip2",1]
> ["util-linux",2]
>
> Output after change:
> ["buildroot",3]
> ["systemd",1]
> ["bzip2",0]
> ["util-linux",2]
>
> We can see in the "before" that the number of dependencies is
> monotonically increasing - specifically the bzip2 input is listed
> without dependencies but sows as having dependencies in the output.
> The "after" output shows 0 dependencoes for that component.
>
> Reviewed-by: Thomas Perale <thomas.perale@mind.be>
> Signed-off-by: Nevo Hed <nhed+buildroot@starry.com>
> ---
> utils/generate-cyclonedx | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx
> index a103b7b707..9d5451793d 100755
> --- a/utils/generate-cyclonedx
> +++ b/utils/generate-cyclonedx
> @@ -337,7 +337,7 @@ def cyclonedx_vulnerabilities(show_info_dict):
> } for cve, components in cves.items()]
>
>
> -def br2_parse_deps_recursively(ref, show_info_dict, virtual=False,
> deps=[]):
> +def br2_parse_deps_recursively(ref, show_info_dict, virtual=False,
> deps=None):
> """Parse dependencies from the show-info output. This function will
> recursively collect all dependencies, and return a list where each
> dependency
> is stated at most once.
> @@ -357,6 +357,8 @@ def br2_parse_deps_recursively(ref, show_info_dict,
> virtual=False, deps=[]):
> Returns:
> list: A list of dependencies of the 'ref' package.
> """
> + if deps is None:
> + deps = []
> for dep in show_info_dict.get(ref, {}).get("dependencies", []):
> if dep not in deps:
> if virtual or show_info_dict.get(dep, {}).get("virtual") is
> False:
> --
> 2.51.0
>
>
[-- Attachment #1.2: Type: text/html, Size: 4826 bytes --]
[-- Attachment #2: Type: text/plain, Size: 150 bytes --]
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2025-12-26 19:56 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-07 17:40 [Buildroot] [PATCH] utils/generate-cyclonedx: fix monotonically increasing dependency list Nevo Hed via buildroot
2025-10-07 19:31 ` Nevo Hed via buildroot
2025-10-07 20:07 ` Thomas Perale via buildroot
2025-11-20 22:32 ` Thomas Petazzoni via buildroot
2025-12-02 21:34 ` Nevo Hed via buildroot
2025-12-03 7:46 ` Thomas Petazzoni via buildroot
[not found] ` <20251226041452.1040838-1-nhed+github@starry.com>
[not found] ` <20251226041452.1040838-2-nhed+github@starry.com>
2025-12-26 19:55 ` [Buildroot] [PATCH v2 1/1] " Nevo Hed via buildroot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox