feat: partition SBOM dependencies into direct and deep

flowstate · flowstate · commit 0f7e8b0b39cb · 2026-05-26T13:42:20.000-07:00
diff --git a/socketsecurity/fossa_compat.py b/socketsecurity/fossa_compat.py
@@ -414,9 +414,23 @@ def _build_dependency_entry(package: Package, dependency_paths: list[str]) -> di
     }
 
 
+def _compute_dependency_paths(package: Package, package_lookup: dict[str, Package]) -> list[str]:
+    """Stub: filled in by Task 9. For now: package name only."""
+    return [package.name]
+
+
 def _partition_dependencies(packages: list[Package]) -> tuple[list[dict[str, Any]], list[dict[str, Any]]]:
-    """Stub: filled in by Tasks 7-9. Returns (direct, deep) lists of Dependency dicts."""
-    return ([], [])
+    direct: list[dict[str, Any]] = []
+    deep: list[dict[str, Any]] = []
+    package_lookup = {getattr(p, "id", None): p for p in packages if getattr(p, "id", None)}
+    for package in packages:
+        paths = _compute_dependency_paths(package, package_lookup)
+        entry = _build_dependency_entry(package, paths)
+        if bool(getattr(package, "direct", False)):
+            direct.append(entry)
+        else:
+            deep.append(entry)
+    return direct, deep
 
 
 def build_fossa_attribution_payload(diff_report: Diff, config: CliConfig) -> dict[str, Any]:
diff --git a/tests/unit/test_fossa_compat.py b/tests/unit/test_fossa_compat.py
@@ -327,6 +327,28 @@ def test_attribution_empty_diff_yields_empty_collections():
     assert payload["deepDependencies"] == []
 
 
+def test_attribution_partitions_direct_vs_deep():
+    pkg_a = Package(
+        type="pypi", name="a", version="1.0", id="pip+a$1.0",
+        score={}, alerts=[], direct=True,
+    )
+    pkg_b = Package(
+        type="pypi", name="b", version="1.0", id="pip+b$1.0",
+        score={}, alerts=[], direct=False,
+    )
+    pkg_c = Package(
+        type="pypi", name="c", version="1.0", id="pip+c$1.0",
+        score={}, alerts=[], direct=True,
+    )
+    diff = Diff(packages={"id-a": pkg_a, "id-b": pkg_b, "id-c": pkg_c})
+    config = CliConfig.from_args(["--api-token", "test", "--legal-format", "fossa"])
+    payload = build_fossa_attribution_payload(diff, config)
+    direct_names = sorted(d["package"] for d in payload["directDependencies"])
+    deep_names = sorted(d["package"] for d in payload["deepDependencies"])
+    assert direct_names == ["a", "c"]
+    assert deep_names == ["b"]
+
+
 def test_vulnerability_version_ranges_sourced_from_socket_fields():
     """affectedVersionRanges/patchedVersionRanges come from Socket's singular fields, wrapped."""
     from socketsecurity.fossa_compat import _build_vulnerability_entry
