feat: implement AddDependencies function to build BOM dependency graph

Author: wiebe-vandendriessche

internal/builder/dependency_builder.go

@@ -1 +1,53 @@
 package builder
+
+import cdx "github.com/CycloneDX/cyclonedx-go"
+
+// AddDependencies builds a minimal dependency graph for the BOM where the
+// model (metadata component) depends on all dataset components. The function
+// creates one dependency entry for the model (with a dependsOn list) and a
+// dependency entry for each dataset (with no dependsOn entries) — matching
+// the example structure used elsewhere in the codebase.
+func AddDependencies(bom *cdx.BOM) {
+	if bom == nil {
+		return
+	}
+
+	// Determine model BOMRef
+	var modelRef string
+	if bom.Metadata != nil && bom.Metadata.Component != nil {
+		modelRef = bom.Metadata.Component.BOMRef
+	}
+	if modelRef == "" {
+		return
+	}
+
+	// Collect dataset BOMRefs
+	var datasetRefs []string
+	if bom.Components != nil {
+		for _, comp := range *bom.Components {
+			if comp.Type == cdx.ComponentTypeData && comp.BOMRef != "" {
+				datasetRefs = append(datasetRefs, comp.BOMRef)
+			}
+		}
+	}
+
+	// Build dependencies slice: model entry (with dependsOn) + dataset entries
+	deps := make([]cdx.Dependency, 0, 1+len(datasetRefs))
+
+	// Model dependency (depends on datasets if present)
+	modelDep := cdx.Dependency{Ref: modelRef}
+	if len(datasetRefs) > 0 {
+		// copy to avoid referencing underlying slice later
+		cp := make([]string, len(datasetRefs))
+		copy(cp, datasetRefs)
+		modelDep.Dependencies = &cp
+	}
+	deps = append(deps, modelDep)
+
+	// Add dataset nodes (no further dependencies)
+	for _, ds := range datasetRefs {
+		deps = append(deps, cdx.Dependency{Ref: ds})
+	}
+
+	bom.Dependencies = &deps
+}

internal/generator/generator.go

@@ -14,6 +14,8 @@ import (
 	cdx "github.com/CycloneDX/cyclonedx-go"
 )
 
+// Version without progress callbacks
+
 type DiscoveredBOM struct {
 	Discovery scanner.Discovery
 	BOM       *cdx.BOM
@@ -98,6 +100,9 @@ func BuildDummyBOM() ([]DiscoveredBOM, error) {
 		}
 	}
 
+	// Add dependencies from model to datasets
+	builder.AddDependencies(bom)
+
 	return []DiscoveredBOM{
 		{
 			Discovery: dummyDiscovery,
@@ -129,7 +134,6 @@ func BuildPerDiscovery(discoveries []scanner.Discovery, hfToken string, timeout
 			modelID = strings.TrimSpace(d.Name)
 		}
 
-
 		var resp *fetcher.ModelAPIResponse
 		var readme *fetcher.ModelReadmeCard
 		if modelID != "" {
@@ -202,6 +206,8 @@ func BuildPerDiscovery(discoveries []scanner.Discovery, hfToken string, timeout
 			*bom.Components = append(*bom.Components, *dsComp)
 		}
 
+		// Add dependencies from model to datasets
+		builder.AddDependencies(bom)
 
 		results = append(results, DiscoveredBOM{
 			Discovery: d,
@@ -283,7 +289,6 @@ func BuildFromModelIDs(modelIDs []string, hfToken string, timeout time.Duration)
 
 		bomBuilder := newBOMBuilder()
 
-
 		resp, err := modelApiFetcher.Fetch(context.Background(), modelID)
 		if err != nil {
 			resp = nil
@@ -357,6 +362,8 @@ func BuildFromModelIDs(modelIDs []string, hfToken string, timeout time.Duration)
 			*bom.Components = append(*bom.Components, *dsComp)
 		}
 
+		// Add dependencies from model to datasets
+		builder.AddDependencies(bom)
 
 		results = append(results, DiscoveredBOM{
 			Discovery: discovery,

internal/generator/generator_progress.go

@@ -166,6 +166,9 @@ func BuildFromModelIDsWithProgress(ctx context.Context, modelIDs []string, opts
 			progress(ProgressEvent{Type: EventDatasetComplete, ModelID: modelID, Message: dsID})
 		}
 
+		// Add dependencies from model to datasets
+		builder.AddDependencies(bom)
+
 		progress(ProgressEvent{Type: EventModelComplete, ModelID: modelID, Datasets: datasetCount})
 
 		results = append(results, DiscoveredBOM{
@@ -284,6 +287,9 @@ func BuildPerDiscoveryWithProgress(ctx context.Context, discoveries []scanner.Di
 			progress(ProgressEvent{Type: EventDatasetComplete, ModelID: modelID, Message: dsID})
 		}
 
+		// Add dependencies from model to datasets
+		builder.AddDependencies(bom)
+
 		progress(ProgressEvent{Type: EventModelComplete, ModelID: modelID, Datasets: datasetCount})
 
 		results = append(results, DiscoveredBOM{