From 6bd0823f7ecfbb22c7322c027b194b1923499988 Mon Sep 17 00:00:00 2001
From: Mike McQuaid <mike@mikemcquaid.com>
Date: Sun, 26 May 2024 16:48:48 +0100
Subject: [PATCH] sbom: fix dependency bottle information in SBOM.

This breaks the possibility for some `:all` bottle creation if they
reference a non-`:all` bottle as a dependency.

Instead, omit this information in the bottle and generate it only at
install time.
---
 Library/Homebrew/sbom.rb | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/Library/Homebrew/sbom.rb b/Library/Homebrew/sbom.rb
index 98f16bb513..e3148f5091 100644
--- a/Library/Homebrew/sbom.rb
+++ b/Library/Homebrew/sbom.rb
@@ -293,9 +293,13 @@ class SBOM
     ] + runtime_dependency_declaration + compiler_declarations + bottle
   end
 
-  sig { returns(T::Array[T::Hash[Symbol, T.any(T::Boolean, String, T::Array[T::Hash[Symbol, String]])]]) }
-  def full_spdx_runtime_dependencies
-    return [] unless @runtime_dependencies.present?
+  sig {
+    params(bottling: T::Boolean).returns(T::Array[T::Hash[Symbol,
+                                                          T.any(T::Boolean, String,
+                                                                T::Array[T::Hash[Symbol, String]])]])
+  }
+  def full_spdx_runtime_dependencies(bottling:)
+    return [] if @runtime_dependencies.blank?
 
     @runtime_dependencies.compact.filter_map do |dependency|
       next unless dependency.present?
@@ -306,7 +310,7 @@ class SBOM
       # Only set bottle URL if the dependency is the same version as the formula/bottle.
       bottle_url = bottle_info["url"] if dependency["pkg_version"] == dependency["formula_pkg_version"]
 
-      {
+      dependency_json = {
         SPDXID:           "SPDXRef-Package-SPDXRef-#{dependency["name"].tr("/", "-")}-#{dependency["pkg_version"]}",
         name:             dependency["name"],
         versionInfo:      dependency["pkg_version"],
@@ -329,12 +333,17 @@ class SBOM
           },
         ],
       }
+      if bottling
+        dependency_json.delete(:downloadLocation)
+        dependency_json.delete(:checksums)
+      end
+      dependency_json
     end
   end
 
   sig { params(bottling: T::Boolean).returns(T::Hash[Symbol, T.any(String, T::Array[T::Hash[Symbol, String]])]) }
   def to_spdx_sbom(bottling:)
-    runtime_full = full_spdx_runtime_dependencies
+    runtime_full = full_spdx_runtime_dependencies(bottling:)
 
     compiler_info = {
       "SPDXRef-Compiler" => {