Improve dependency tree for poetry in non-workspace mode (#1817)

* Improve dependency tree for poetry in non-workspace mode

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Improve dependency tree for poetry in non-workspace mode

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

* Improve dependency tree for poetry in non-workspace mode

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

---------

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>

Author: prabhu

.github/workflows/image-build.yml

@@ -83,7 +83,7 @@ jobs:
           labels: ${{ steps.cdxgen-metadata.outputs.labels }}
       - name: Build and push Docker cdxgen-image for tag
         uses: docker/build-push-action@v5
-        if: ${{ startsWith(github.ref, 'refs/tags/') && ! fromJSON(inputs.image).cdxgen-image.skip-tags }}
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
         with:
           context: .
           file: ci/base-images/cdxgen/${{ fromJSON(inputs.image).distro }}/Dockerfile.${{ fromJSON(inputs.image).lang }}
@@ -121,7 +121,7 @@ jobs:
           oras discover --format tree ${{ fromJSON(steps.cdxgen-metadata.outputs.json).tags[0] }}
           node bin/verify.js -i ${{ fromJSON(steps.cdxgen-metadata.outputs.json).tags[0] }} --public-key contrib/bom-signer/public.key
         continue-on-error: true
-        if: ${{ startsWith(github.ref, 'refs/tags/') && ! fromJSON(inputs.image).cdxgen-image.skip-tags }}
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
         env:
           SBOM_SIGN_ALGORITHM: RS512
           SBOM_SIGN_PRIVATE_KEY: ${{ github.workspace }}/private.key

ci/base-images/README.md

@@ -35,7 +35,7 @@ Below table summarizes all available container image versions. These images incl
 | Ruby     | 1.8.x                        | ghcr.io/cyclonedx/debian-ruby18:master                                                         | Base image for `bundle install` only. No cdxgen equivalent with Ruby 1.8.x. `--deep` mode and research profile unsupported.               |
 | Swift    | 6.0.x                        | ghcr.io/cyclonedx/cdxgen-debian-swift:v11                                                      |
 | golang   | 1.24                         | ghcr.io/cyclonedx/cdxgen-debian-golang124:v11, ghcr.io/cyclonedx/cdxgen-debian-golang:v11      | Golang 1.24                                                                                                                               |
-| golang   | 1.23                         | ghcr.io/cyclonedx/cdxgen-debian-golang123:v11      | Golang 1.23
+| golang   | 1.23                         | ghcr.io/cyclonedx/cdxgen-debian-golang123:v11                                                  | Golang 1.23                                                                                                                               |
 
 Replace `:v11` with a release version tag or sha256 hash for fine-grained control over the image tag.
 

lib/helpers/utils.js

@@ -5029,6 +5029,7 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
   let parentComponent;
   let workspacePaths;
   let workspaceWarningShown = false;
+  let hasWorkspaces = false;
   // Keep track of any workspace components to be added to the parent component
   const workspaceComponentMap = {};
   const workspacePyProjMap = {};
@@ -5053,6 +5054,9 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
     parentComponent = pyProjMap.parentComponent;
     workspacePaths = pyProjMap.workspacePaths;
     if (workspacePaths?.length) {
+      if (!hasWorkspaces) {
+        hasWorkspaces = true;
+      }
       // Parent component is going to have children
       parentComponent.components = [];
       for (const awpath of workspacePaths) {
@@ -5136,6 +5140,9 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
   // Check for workspaces
   if (lockTomlObj?.manifest?.members) {
     const workspaceMembers = lockTomlObj.manifest.members;
+    if (workspaceMembers && !hasWorkspaces) {
+      hasWorkspaces = true;
+    }
     for (const amember of workspaceMembers) {
       if (amember === parentComponent.name) {
         continue;
@@ -5286,7 +5293,7 @@ export async function parsePyLockData(lockData, lockFile, pyProjectFile) {
     }
     if (
       directDepsKeys[pkg.name] ||
-      !Object.keys(workspaceComponentMap).length
+      (hasWorkspaces && !Object.keys(workspaceComponentMap).length)
     ) {
       rootList.push(pkg);
     }