Skip to content

[capycli] Fix find_bom_item silently failing when filter has no Version key#224

Open
prajakta128 wants to merge 2 commits into
sw360:mainfrom
prajakta128:fix/filter-bom-name-only-match
Open

[capycli] Fix find_bom_item silently failing when filter has no Version key#224
prajakta128 wants to merge 2 commits into
sw360:mainfrom
prajakta128:fix/filter-bom-name-only-match

Conversation

@prajakta128

@prajakta128 prajakta128 commented Jun 6, 2026

Copy link
Copy Markdown

Problem

find_bom_item silently returns None when a filter entry has a Name
but no Version key. This is a valid and common use case — a user wants
to find a component by name regardless of its version.

The bug causes add mode updates to silently fail: instead of updating
the existing component, a duplicate is added with no version.

Root Cause

The method uses filterentry.get("Version", "x") as a fallback, so when
Version is missing, it compares "x" against the real version string,
which never matches:

if filterentry.get("Name", "x") == component.name:
    if filterentry.get("Version", "x") == component.version:  # BUG
        return component

Fix

Changed the version check to only enforce version matching when the
Version key is actually present in the filter entry:

if filterentry.get("Name", "x") == component.name:
    if "Version" not in filterentry or filterentry["Version"] == component.version:
        return component

Test Added

Added test_find_bom_item_name_only in tests/test_bom_filter.py
covering the case where a filter entry has only Name and no Version key.

Impact

Any user writing a filter file with name-only entries (no Version) to
update components would silently get duplicate ghost components in their
SBOM with no error message shown.

@gernot-h

gernot-h commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Thank you again, @prajakta128 for this finding!

While the root cause fix looks good and adding a focused unit test for it is great, I would be even more interested in the user-facing problem you mention with creating duplicates. Would you mind creating a 2nd test case using the sut.run() or sut.filter_bom() patter from the other TCs in the file to also verify that no such duplicates are created? I would really be interested in understanding the code flow here better.

@prajakta128

prajakta128 commented Jun 12, 2026

Copy link
Copy Markdown
Author

@gernot-h Thanks for the detailed explanation! I've added a second test
case, test_filter_bom_add_name_only_no_duplicate, which uses the full
filter_bom() flow on the existing sw360 SBOM fixture.

It creates a filter entry with only "Name": "colorama" (no Version) and
"Sw360Id": "999", then runs filter_bom() and verifies:

  • the total component count stays the same (no duplicate created)
  • the existing colorama component now has the Sw360Id property set

This confirms the fix correctly updates the existing component instead of
adding a duplicate when no Version is specified in the filter entry.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@prajakta128 @gernot-h