(ant-antlibs-cyclonedx) branch main updated: fail with a useful error message if dependees lack bom-ref

Fri, 15 May 2026 04:41:30 -0700 

This is an automated email from the ASF dual-hosted git repository.

asf-gitbox-commits pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/ant-antlibs-cyclonedx.git


The following commit(s) were added to refs/heads/main by this push:
     new 9583176  fail with a useful error message if dependees lack bom-ref
9583176 is described below

commit 958317657da5fc50d1ba2a0c80e1245735095e75
Author: Stefan Bodewig <[email protected]>
AuthorDate: Fri May 15 13:39:19 2026 +0200

    fail with a useful error message if dependees lack bom-ref
---
 docs/component.html                              |  6 ++++++
 src/main/org/apache/ant/cyclonedx/Component.java |  3 +++
 src/tests/antunit/component-test.xml             | 12 ++++++++++++
 3 files changed, 21 insertions(+)

diff --git a/docs/component.html b/docs/component.html
index e64e743..56654dd 100644
--- a/docs/component.html
+++ b/docs/component.html
@@ -247,6 +247,12 @@ <h4 id="dependency">dependency</h4>
 
     <p>Adds a dependency to the component.</p>
 
+    <p>Inside the SBOM both the dependee and the dependency side are
+      identified by their bom-ref. Therefore nested dependency children
+      are only allowed in components that provide a bom-ref - either via
+      an explicit <code>bomRef</code> attribute or an explicit r
+      calculated <code>purl</code>.</p>
+
     <h5>Attributes</h5>
 
     <table class="attr">
diff --git a/src/main/org/apache/ant/cyclonedx/Component.java 
b/src/main/org/apache/ant/cyclonedx/Component.java
index 1b14579..7a10ade 100644
--- a/src/main/org/apache/ant/cyclonedx/Component.java
+++ b/src/main/org/apache/ant/cyclonedx/Component.java
@@ -528,6 +528,9 @@ public class Component extends DataType {
         if (name == null) {
             throw new BuildException("component name is required");
         }
+        if (!dependencies.isEmpty() && getBomRef() == null) {
+            throw new BuildException("components without bomRef cannot have 
dependencies");
+        }
         if (manufacturerIsSupplier) {
             if (manufacturer == null) {
                 throw new BuildException("component without manufacturer can't 
use manufacturer as supplier");
diff --git a/src/tests/antunit/component-test.xml 
b/src/tests/antunit/component-test.xml
index c5ddfe3..4952b97 100644
--- a/src/tests/antunit/component-test.xml
+++ b/src/tests/antunit/component-test.xml
@@ -553,4 +553,16 @@
     </au:expectfailure>
   </target>
 
+  <target name="testDependeesRequireABomRef">
+    <au:expectfailure expectedMessage="components without bomRef cannot have 
dependencies"
+        xmlns:au="antlib:org.apache.ant.antunit">
+      <cdx:componentbom outputdirectory="${output}" format="json"
+                        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+        <component name="foo">
+          <dependency bomRef="bar"/>
+        </component>
+      </cdx:componentbom>
+    </au:expectfailure>
+  </target>
+
 </project>

Reply via email to