Reconcile bare/rich component identities in ComponentsFound#1760
Open
Reconcile bare/rich component identities in ComponentsFound#1760
Conversation
eefbb60 to
0ec6835
Compare
|
👋 Hi! It looks like you modified some files in the
If none of the above scenarios apply, feel free to ignore this comment 🙂 |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the orchestrator’s component aggregation so that, within a single detector run, components registered under a “bare” identity (no provenance URLs) are reconciled into their corresponding “rich” identities (same BaseId, but with DownloadUrl/SourceUrl). This ensures ComponentsFound reflects a single coherent identity while retaining important metadata and graph-derived fields.
Changes:
- Reconcile detected components by
BaseId, merging bare metadata into rich entries and dropping the bare entries. - Extend graph translation to associate graph data with components by either
IdorBaseId, so rich components pick up graph info from bare-id graphs. - Add unit tests covering reconciliation behavior at both the
ComponentRecorderand graph translation layers.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
src/Microsoft.ComponentDetection.Common/DependencyGraph/ComponentRecorder.cs |
Groups detected components by BaseId and merges bare metadata into rich components. |
src/Microsoft.ComponentDetection.Orchestrator/Services/GraphTranslation/DefaultGraphTranslationService.cs |
Applies graph roots/ancestors/dev-dep/scope/locations using Id or BaseId matching. |
test/Microsoft.ComponentDetection.Common.Tests/ComponentRecorderTests.cs |
Adds tests validating bare/rich reconciliation behavior for component aggregation. |
test/Microsoft.ComponentDetection.Orchestrator.Tests/Services/DefaultGraphTranslationServiceTests.cs |
Adds tests validating rich components absorb graph data from bare-id graphs. |
src/Microsoft.ComponentDetection.Common/DependencyGraph/ComponentRecorder.cs
Show resolved
Hide resolved
src/Microsoft.ComponentDetection.Common/DependencyGraph/ComponentRecorder.cs
Show resolved
Hide resolved
src/Microsoft.ComponentDetection.Common/DependencyGraph/ComponentRecorder.cs
Outdated
Show resolved
Hide resolved
Within a single detector, components registered under bare Ids (no DownloadUrl/SourceUrl) are now merged into their rich counterparts sharing the same BaseId. Changes: - ComponentRecorder.GetDetectedComponents(): group by BaseId, merge bare metadata (licenses, suppliers, containers) into all rich entries - DefaultGraphTranslationService.GatherSetOfDetectedComponentsUnmerged(): extend graph lookup to match on BaseId so rich components absorb graph data (roots, ancestors, devDep, scope, file paths) from bare-Id graphs - Tests for both reconciliation levels Addresses work item #2372676. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
0ec6835 to
f1ee3e5
Compare
grvillic
reviewed
Apr 4, 2026
| // Information about each component is relative to all of the graphs it is present in, so we take all graphs containing a given component and apply the graph data. | ||
| foreach (var graphKvp in dependencyGraphsByLocation.Where(x => x.Value.Contains(component.Component.Id))) | ||
| // Also match on BaseId to pick up graphs that registered this component under a bare Id (before reconciliation promoted it to a rich Id). | ||
| foreach (var graphKvp in dependencyGraphsByLocation.Where(x => x.Value.Contains(component.Component.Id) || (component.Component.Id != component.Component.BaseId && x.Value.Contains(component.Component.BaseId)))) |
Collaborator
There was a problem hiding this comment.
this line is a bit difficult to follow, can we make a private utility method that returns true when applicable.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Within a single detector, components registered under bare Ids (no DownloadUrl/SourceUrl) are now merged into their rich counterparts sharing the same BaseId.
Changes:
Addresses work item #2372676.