minimal cyclonedx graph preservation experiment – validating that sw360 ignores dependencies

[vasvigarg]

hi maintainers,

i traced the cyclonedx sbom import path end-to-end and noticed that while dependency relationships exist in the bom, sw360 currently flattens all components into the project inventory.

i’m sharing this mainly to confirm design intent before proposing anything. the goal of this experiment is to:

• verify that dependencies are ignored in the current importer

• see if basic dep edges could be preserved without schema or ui changes

• surface any edge cases before considering a proper implementation

i’ve attached my experiment notes below for reference. happy to summarize further if needed.

maintainer questions:

1. is it intentional that cyclonedx bom dependencies are ignored in the releaseRelationNetwork?

2. would preserving basic dependency edges align with sw360’s long-term direction?

thanks for your time

@GMishx @Kaushl2208 @amritkv

attachment: cyclonedx_import_trace_notes.md

[vasvigarg]

expected impact -

for most users: nothing changes, flat list still works for those not using the dependency network

for users using dependency network: they can see real dependencies between releases, improving traceability and impact analysis

keeps the system safe, small, and incremental that is reduces risk of breaking existing workflows

[vasvigarg]

Hi SW360 Team,

I am Vasvi Garg, a Full-Stack Engineer and Computer Science student. I’ve been actively contributing to the SW360 ecosystem, recently focusing on PR #3816, where I implemented a recursive logic to display CycloneDX dependency hierarchies.

For GSoC 2026, I am proposing a project to further enhance these capabilities: Automated SBOM Validation and Visualization. My goal is to implement a robust validation layer for incoming SBOMs (CycloneDX/SPDX) and a modern visualization component for the dependency tree.

I have prepared a draft proposal here: https://docs.google.com/document/d/1sYv85FfYbU6BCuqRzuHAP6wpi4LU-jfAlFjZnkHHrLI/edit?usp=sharing

I would greatly appreciate any feedback from the mentors, specifically regarding:

• The choice between React Flow and D3.js for the visualization component.

• The prioritization of specific validation rules (e.g., NTIA minimum elements vs. security metadata).

Thanks for your time!

@GMishx @Kaushl2208 @amritkv