Include BomRef within Component hash calculation

[wkoot]

Fixes #540, #677

[jkowalleck]

this is considered a breaking change, as it changes existing behavior in a non-backwards-compatible way

[jkowalleck]

this is a disputable assertion.
the two of the components of the original BOM were duplicated in the first place, why keep them?

[wkoot]

What is the correct place for this to be disputed, is it part of the implementation or the spec discussion?

[jkowalleck]

it is something that could be discussed here: https://github.com/CycloneDX/specification/discussions

[wkoot]

Where in the spec is it explained what the uniqueness criteria for components are?
And is it a bug that the libraries in other programming languages have implemented this differently, or is that also something that's an ongoing discussion?

[jkowalleck]

this PR claims to solve #677
the original issue was

>>> bom.validate()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "lib\site-packages\cyclonedx\model\bom.py", line 666, in validate
    raise UnknownComponentDependencyException(
cyclonedx.exception.model.UnknownComponentDependencyException: One or more Components have Dependency references to Components/Services that are not known in this BOM. They are: {<BomRef 'test22' id=2111773432208>, <BomRef 'test21' id=2111773432160>}

none of the added tests showcase this broken/fixed behaviour.

[jkowalleck]

this PR claims to solve #540

the original problem was

Traceback (most recent call last):
  File "/Users/tek30584/programming/cdx_lib_bugs/./duplicate_name_bug.py", line 38, in <module>
    print(JsonV1Dot5(bom).output_as_string(indent=2))
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/tek30584/programming/cdx_lib_bugs/.venv/lib/python3.11/site-packages/cyclonedx/output/json.py", line 82, in output_as_string
    self.generate()
  File "/Users/tek30584/programming/cdx_lib_bugs/.venv/lib/python3.11/site-packages/cyclonedx/output/json.py", line 70, in generate
    bom.validate()
  File "/Users/tek30584/programming/cdx_lib_bugs/.venv/lib/python3.11/site-packages/cyclonedx/model/bom.py", line 600, in validate
    raise UnknownComponentDependencyException(
cyclonedx.exception.model.UnknownComponentDependencyException: One or more Components have Dependency references to Components/Services that are not known in this BOM. They are: {<BomRef 'some-library2'>}

none of the added tests showcase this broken/fixed behaviour.

[jkowalleck]

I see why you go with self.bom_ref.value instead of self.bom_ref.
BomRef.__hash__ exists and is implemented to account for the __id__ of the "empty" object entity, so that None values are unequal.
Your implementation does not do so, and may cause unexpected behaviour here.

[wkoot]

Indeed I had originally only added self.bom_ref, but that would then not deduplicate the Nones. Is there a reason for the BomRef hash to include the id? It seems superfluous when there is a unique identifier. Note also that the code claims a random UUIDv4 should have been assigned when there is no ref, but this is not actually the case

[wkoot]

this is considered a breaking change, as it changes existing behavior in a non-backwards-compatible way

Would it be desirable to only include the BomRef in the hash calc when it is set (i.e. not None)?
I then wonder what should be done about duplicate components where one has a ref and the other does not.

[jkowalleck]

this is considered a breaking change, as it changes existing behavior in a non-backwards-compatible way

Would it be desirable to only include the BomRef in the hash calc when it is set (i.e. not None)? I then wonder what should be done about duplicate components where one has a ref and the other does not.

breaking changes are embraced and not a stopper. it was just a remark.