Nested cyclonedx.model.dependency.Dependency not serialized to JSON

[stefan6419846]

The Dependency class currently allows arbitrary nesting, at least according to the type hints:

cyclonedx-python-lib/cyclonedx/model/dependency.py

Lines 59 to 61 in bf596c0

	def __init__(self, ref: BomRef, dependencies: Optional[Iterable['Dependency']] = None) -> None:
	self.ref = ref
	self.dependencies = dependencies or []

Serializing such a BOM to JSON will ignore everything except the top-level entry.

Example usage:

bom.dependencies.add(
    Dependency(
        root_component.bom_ref,
        dependencies=[
            Dependency(
                dependency1.bom_ref,
                dependencies=[
                    Dependency(dependency2.bom_ref)
                ]
            )
        ]
    )
)

I stumbled upon this when trying to process external BOMs for further analysis with only looking at the type hints, while I have not been able to build a BOM myself which would actually trigger this after serialization.

[jkowalleck]

Serializing such a BOM to JSON will ignore everything except the top-level entry.

have you tried it? could you pull-request a test setup that has any issues?

tests go here: https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/tests/_data/models.py

[stefan6419846]

I will have a look at possibly preparing a PR for this tomorrow. For now, this is some reproducing code based upon complex_serialize.py:

from cyclonedx.model.bom import Bom
from cyclonedx.model.component import Component, ComponentType
from cyclonedx.model.dependency import Dependency
from cyclonedx.output import make_outputter
from cyclonedx.schema import OutputFormat, SchemaVersion


bom = Bom()

bom.metadata.component = root_component = Component(
    name='myApp',
    type=ComponentType.APPLICATION,
    bom_ref='myApp',
)

component1 = Component(
    type=ComponentType.LIBRARY,
    name='some-component',
    group='acme',
    version='1.33.7-beta.1',
    bom_ref='myComponent@1.33.7-beta.1',
)
bom.components.add(component1)

component2 = Component(
    type=ComponentType.LIBRARY,
    name='some-library',
    bom_ref='some-library'
)
bom.components.add(component2)

bom.dependencies.add(
    Dependency(
        root_component.bom_ref,
        dependencies=[
            Dependency(
                component1.bom_ref,
                dependencies=[
                    Dependency(component2.bom_ref)
                ]
            )
        ]
    )
)

my_json_outputter = make_outputter(bom, OutputFormat.JSON, SchemaVersion.V1_7)
serialized_json = my_json_outputter.output_as_string(indent=2)
print(serialized_json)

print('', '=' * 30, '', sep='\n')

my_xml_outputter = make_outputter(bom, OutputFormat.XML, SchemaVersion.V1_7)
serialized_xml = my_xml_outputter.output_as_string(indent=2)
print(serialized_xml)

JSON output is this, with nothing depending on some-library:

{
  "components": [
    {
      "bom-ref": "myComponent@1.33.7-beta.1",
      "group": "acme",
      "name": "some-component",
      "type": "library",
      "version": "1.33.7-beta.1"
    },
    {
      "bom-ref": "some-library",
      "name": "some-library",
      "type": "library"
    }
  ],
  "dependencies": [
    {
      "dependsOn": [
        "myComponent@1.33.7-beta.1"
      ],
      "ref": "myApp"
    },
    {
      "ref": "myComponent@1.33.7-beta.1"
    },
    {
      "ref": "some-library"
    }
  ],
  "metadata": {
    "component": {
      "bom-ref": "myApp",
      "name": "myApp",
      "type": "application"
    },
    "timestamp": "2026-03-04T17:33:26.085743+00:00"
  },
  "serialNumber": "urn:uuid:9c7da534-f964-4d74-a09e-9c5770262989",
  "version": 1,
  "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.7"
}

The XML looks correct (myComponent@1.33.7-beta.1 referencing some-library):

<?xml version="1.0" ?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.7" serialNumber="urn:uuid:9c7da534-f964-4d74-a09e-9c5770262989" version="1">
  <metadata>
    <timestamp>2026-03-04T17:33:26.085743+00:00</timestamp>
    <component type="application" bom-ref="myApp">
      <name>myApp</name>
    </component>
  </metadata>
  <components>
    <component type="library" bom-ref="myComponent@1.33.7-beta.1">
      <group>acme</group>
      <name>some-component</name>
      <version>1.33.7-beta.1</version>
    </component>
    <component type="library" bom-ref="some-library">
      <name>some-library</name>
    </component>
  </components>
  <dependencies>
    <dependency ref="myApp">
      <dependency ref="myComponent@1.33.7-beta.1">
        <dependency ref="some-library"/>
      </dependency>
    </dependency>
    <dependency ref="myComponent@1.33.7-beta.1"/>
    <dependency ref="some-library"/>
  </dependencies>
</bom>