Capture more package fields in MergeableContent by DaveTryon · Pull Request #1134 · microsoft/sbom-tool (original) (raw)

When comparing the source SBOMs to the aggregated SBOMs, packages are losing the externalRefs section, which identifies where the data came from. We're also always using default values for the supplier and copyrightText fields. This is happening because the MergeableContentProvider is not capturing the data from the source SBOM. This PR simply calls an existing method that sets the additional properties (and gives us less code to maintain):

It also extends the "happy path" unit test to ensure that these fields are set on all packages in the test file. Before the change, all of the new counts in the test were 0.

Footnote: There are still 2 properties on SbomPackage that we don't set. These are Type, and DependOn. I couldn't find good examples of how to use these, so we just keep the default behavior for now. If/when we later want them and know how to get them, it will be a simple fix.