[Buildroot] [PATCH] utils/generate-cyclonedx: fix monotonically increasing dependency list
Nevo Hed
nhed+buildroot at starry.com
Tue Oct 7 19:31:49 UTC 2025
Forgot to mention my reproduction details
$ python3 --version
Python 3.13.7
With attached `show-info` json
Before change:
$ utils/generate-cyclonedx < /tmp/test-show-info.json | jq -c
'.dependencies[] | [.ref, (.dependsOn|length) ]'
["buildroot",28]
["bzip2",0]
["c-ares",0]
["elfutils",2]
["expat",2]
["kmod",2]
["libarchive",4]
["libcap",4]
["libcurl",5]
["libgcrypt",6]
["libgpg-error",6]
["libopenssl",6]
["libxcrypt",6]
["libzlib",6]
["lzo",6]
["ncurses",6]
["pcre2",6]
["readline",7]
["skeleton-init-common",7]
["skeleton-init-systemd",8]
["socat",8]
["systemd",17]
["toolchain-external-custom",17]
["util-linux",19]
["util-linux-libs",19]
["vim",19]
["wget",20]
["which",20]
["xz",20]
After change:
$ utils/generate-cyclonedx < \
/tmp/test-show-info.json | \
jq -c '.dependencies[] | [.ref, (.dependsOn|length) ]'
["buildroot",28]
["bzip2",0]
["c-ares",0]
["elfutils",2]
["expat",0]
["kmod",1]
["libarchive",4]
["libcap",0]
["libcurl",1]
["libgcrypt",1]
["libgpg-error",0]
["libopenssl",0]
["libxcrypt",0]
["libzlib",0]
["lzo",0]
["ncurses",0]
["pcre2",0]
["readline",1]
["skeleton-init-common",0]
["skeleton-init-systemd",1]
["socat",0]
["systemd",15]
["toolchain-external-custom",0]
["util-linux",18]
["util-linux-libs",1]
["vim",1]
["wget",19]
["which",0]
["xz",0]
On Tue, Oct 7, 2025 at 1:40 PM Nevo Hed <nhed+buildroot at starry.com> wrote:
> From: Nevo Hed <nhed+github at starry.com>
>
> Having mutables as default args has unexpected behaviors.
> br2_parse_deps_recursively had a default arg `deps` initialized to the
> empty list (`[]`) except that on subsequent calls from `main` deps would
> already be populated from prior components.
> ---
> utils/generate-cyclonedx | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx
> index 60983ac1ea..7d3ef57ab3 100755
> --- a/utils/generate-cyclonedx
> +++ b/utils/generate-cyclonedx
> @@ -238,7 +238,7 @@ def cyclonedx_vulnerabilities(show_info_dict):
> } for cve, components in cves.items()]
>
>
> -def br2_parse_deps_recursively(ref, show_info_dict, virtual=False,
> deps=[]):
> +def br2_parse_deps_recursively(ref, show_info_dict, virtual=False,
> deps=None):
> """Parse dependencies from the show-info output. This function will
> recursively collect all dependencies, and return a list where each
> dependency
> is stated at most once.
> @@ -258,6 +258,8 @@ def br2_parse_deps_recursively(ref, show_info_dict,
> virtual=False, deps=[]):
> Returns:
> list: A list of dependencies of the 'ref' package.
> """
> + if deps is None:
> + deps = []
> for dep in show_info_dict.get(ref, {}).get("dependencies", []):
> if dep not in deps:
> if virtual or show_info_dict.get(dep, {}).get("virtual") is
> False:
> --
> 2.51.0
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildroot.org/pipermail/buildroot/attachments/20251007/47d34048/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test-show-info.json
Type: application/json
Size: 37337 bytes
Desc: not available
URL: <http://lists.buildroot.org/pipermail/buildroot/attachments/20251007/47d34048/attachment-0001.json>
More information about the buildroot
mailing list