feat: base-serializer runs bomRefDiscrimination on vulnerabilities

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

src/serialize/baseSerializer.ts

@@ -17,25 +17,32 @@ SPDX-License-Identifier: Apache-2.0
 Copyright (c) OWASP Foundation. All Rights Reserved.
 */
 
-import type { Bom, BomRef, Component } from '../models'
+import { treeIteratorSymbol } from '../_helpers/tree'
+import type { Bom, BomRef } from '../models'
 import { BomRefDiscriminator } from './bomRefDiscriminator'
 import type { NormalizerOptions, Serializer, SerializerOptions } from './types'
 
 export abstract class BaseSerializer<NormalizedBom> implements Serializer {
   #getAllBomRefs (bom: Bom): Iterable<BomRef> {
     const bomRefs = new Set<BomRef>()
-    function iterComponents (cs: Iterable<Component>): void {
-      for (const { bomRef, components } of cs) {
+
+    // region from components
+    if (bom.metadata.component !== undefined) {
+      bomRefs.add(bom.metadata.component.bomRef)
+      for (const { bomRef } of bom.metadata.component.components[treeIteratorSymbol]()) {
         bomRefs.add(bomRef)
-        iterComponents(components)
       }
     }
+    for (const { bomRef } of bom.components[treeIteratorSymbol]()) {
+      bomRefs.add(bomRef)
+    }
+    // endregion from components
 
-    if (bom.metadata.component !== undefined) {
-      bomRefs.add(bom.metadata.component.bomRef)
-      iterComponents(bom.metadata.component.components)
+    // region from vulnerabilities
+    for (const { bomRef } of bom.vulnerabilities) {
+      bomRefs.add(bomRef)
     }
-    iterComponents(bom.components)
+    // endregion from vulnerabilities
 
     return bomRefs.values()
   }