Trim the saasbom to help all models including Gemini (#1454)

Signed-off-by: Prabhu Subramanian <[email protected]>
CycloneDX · Nov 13, 2024 · 3b4b2fe · 3b4b2fe
1 parent 7d14de2
commit 3b4b2fe
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 4 deletions.
diff --git a/bin/cdxgen.js b/bin/cdxgen.js
@@ -774,7 +774,6 @@ const checkPermissions = (filePath) => {
     printTable(bomNSData.bomJson);
     // CBOM related print
     if (options.includeCrypto) {
-      console.log("\n*** Cryptography BOM ***");
       printTable(bomNSData.bomJson, ["cryptographic-asset"]);
       printDependencyTree(bomNSData.bomJson, "provides");
     }

diff --git a/lib/stages/postgen/postgen.js b/lib/stages/postgen/postgen.js
@@ -306,14 +306,17 @@ export function annotate(bomJson, options) {
   if (!cdxgenAnnotator.length) {
     return bomJson;
   }
-  const requiresContextTrimming = ["ml-tiny"].includes(options?.profile);
+  const { bomType } = findBomType(bomJson);
   const requiresContextTuning = [
     "deep-learning",
     "machine-learning",
     "ml",
     "ml-deep",
     "ml-tiny",
   ].includes(options?.profile);
+  const requiresContextTrimming =
+    (requiresContextTuning && ["saasbom"].includes(bomType.toLowerCase())) ||
+    ["ml-tiny"].includes(options?.profile);
   // Construct the bom-link prefix to use for context tuning
   const bomLinkPrefix = `${bomJson.serialNumber}/${bomJson.version}/`;
   const metadataAnnotations = textualMetadata(bomJson);
@@ -343,8 +346,13 @@ export function annotate(bomJson, options) {
     if (bomJson?.metadata?.component?.["bom-ref"]) {
       bomJson.metadata.component["bom-ref"] = undefined;
     }
+    if (bomJson?.metadata?.component?.properties) {
+      bomJson.metadata.component.properties = undefined;
+    }
+    if (bomJson?.metadata?.properties) {
+      bomJson.metadata.properties = undefined;
+    }
   }
-  const { bomType, bomTypeDescription } = findBomType(bomJson);
   // Tag the components
   for (const comp of bomJson.components) {
     const tags = extractTags(comp, bomType);
@@ -372,6 +380,13 @@ export function annotate(bomJson, options) {
   // For tiny models, we can remove the dependencies section
   if (requiresContextTrimming) {
     bomJson.dependencies = undefined;
+    if (bomType.toLowerCase() === "saasbom") {
+      bomJson.components = undefined;
+      let i = 0;
+      for (const aserv of bomJson.services) {
+        aserv.name = `service-${i++}`;
+      }
+    }
   }
   // Problem: information such as the dependency tree are specific to an sbom
   // To prevent the models from incorrectly learning about the trees, we automatically convert all bom-ref

diff --git a/types/lib/stages/postgen/postgen.d.ts.map b/types/lib/stages/postgen/postgen.d.ts.map