fix(osi): remap vulnerability refs and preserve merged SBOMs

map component identifiers to bom-ref during scan conversion and reattach cycles so CycloneDX vulnerabilities reference components correctly
re-serialize merged SBOMs to the requested format, remap relationship targets, and default merge output to CycloneDX JSON
raise JSON read limits and harden OSI dependency preparation/configs for larger SBOMs and richer dependency graphs
add unit tests covering vulnerability reference remapping

Author: hima700

api/src/main/java/org/svip/api/config/JacksonConfig.java

@@ -1,37 +1,75 @@
+/**
+ * Copyright 2021 Rochester Institute of Technology (RIT). Developed with
+ * government support under contract 70RCSA22C00000008 awarded by the United
+ * States Department of Homeland Security for Cybersecurity and Infrastructure Security Agency.
+ * <p>
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ * <p>
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ * <p>
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
 package org.svip.api.config;
 
-import com.fasterxml.jackson.core.JsonFactory;
-import com.fasterxml.jackson.core.StreamWriteConstraints;
+import com.fasterxml.jackson.core.StreamReadConstraints;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import com.fasterxml.jackson.databind.SerializationFeature;
-import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
+import org.springframework.boot.autoconfigure.jackson.Jackson2ObjectMapperBuilderCustomizer;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Primary;
 
+/**
+ * Jackson configuration to handle large SBOM files
+ * 
+ * This configuration increases the maximum allowed string length for JSON parsing
+ * to handle very large SBOM files (up to 500MB of JSON text).
+ */
 @Configuration
 public class JacksonConfig {
-
+    
+    /**
+     * Configure Jackson to handle larger JSON strings
+     * Increases the max string length from 100MB to 500MB
+     */
+    @Bean
+    public Jackson2ObjectMapperBuilderCustomizer jsonCustomizer() {
+        return builder -> {
+            builder.postConfigurer(objectMapper -> {
+                objectMapper.getFactory().setStreamReadConstraints(
+                    StreamReadConstraints.builder()
+                        .maxStringLength(500_000_000)  // 500MB limit for JSON strings
+                        .build()
+                );
+            });
+        };
+    }
+    
+    /**
+     * Create a primary ObjectMapper bean with increased limits
+     * This will be used by default throughout the application
+     */
     @Bean
+    @Primary
     public ObjectMapper objectMapper() {
-        // Increase max nesting depth for writing deep JSON structures (e.g., VEX)
-        JsonFactory factory = JsonFactory.builder()
-                .streamWriteConstraints(StreamWriteConstraints.builder()
-                        .maxNestingDepth(5_000)
-                        .build())
-                .build();
-        
-        ObjectMapper mapper = new ObjectMapper(factory);
-        
-        // Register Java 8 date/time module for LocalDateTime support
-        mapper.registerModule(new JavaTimeModule());
-        
-        // Configure to handle circular references globally
-        mapper.configure(SerializationFeature.FAIL_ON_SELF_REFERENCES, false);
-        mapper.configure(SerializationFeature.WRITE_SELF_REFERENCES_AS_NULL, true);
-        
-        // Disable writing dates as timestamps (use ISO-8601 strings instead)
-        mapper.disable(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS);
-        
+        ObjectMapper mapper = new ObjectMapper();
+        mapper.getFactory().setStreamReadConstraints(
+            StreamReadConstraints.builder()
+                .maxStringLength(500_000_000)  // 500MB limit for JSON strings
+                .build()
+        );
         return mapper;
     }
-}
+}

api/src/main/java/org/svip/api/controller/OSIController.java

@@ -44,6 +44,9 @@
 import org.svip.serializers.SerializerFactory;
 import org.svip.serializers.exceptions.DeserializerException;
 import org.svip.serializers.exceptions.SerializerException;
+import org.svip.serializers.serializer.Serializer;
+import org.svip.sbom.model.interfaces.generics.SBOM;
+import org.svip.sbom.model.objects.SVIPSBOM;
 
 import java.io.IOException;
 import java.net.URISyntaxException;
@@ -305,33 +308,57 @@ public ResponseEntity<?> generateWithOSI(@RequestParam("projectName") String pro
             mergedID = uploaded.get(0).getId();
         }
 
-        // Convert
+        // Re-serialize to requested format (preserves relationships better than conversion)
         Long convertedID;
         try {
-            LOGGER.info("POST /svip/generators/osi - Converting SBOM to {} {}", schema, format);
-            convertedID = sbomService.convert(mergedID, schema, format, true);
-            LOGGER.info("POST /svip/generators/osi - Successfully converted SBOM to id {}", convertedID);
-        } catch (DeserializerException | JsonProcessingException | SerializerException | SBOMBuilderException |
-                 ConversionException e) {
-            // Failed to convert
-            LOGGER.error("POST /svip/generators/osi - Failed to convert - " + e.getMessage());
+            SBOMFile mergedSbom = sbomService.getSBOMFile(mergedID);
+            
+            // Check if already in target schema/format
+            if (matchesRequestedFormat(mergedSbom, schema, format)) {
+                LOGGER.info("POST /svip/generators/osi - Merged SBOM already in {} {}, using as-is", schema, format);
+                convertedID = mergedID;
+            } else {
+                // Re-serialize instead of convert to preserve relationship structure
+                LOGGER.info("POST /svip/generators/osi - Re-serializing merged SBOM to {} {}", schema, format);
+                SBOM sbomObject = mergedSbom.toSBOMObject();
+                Serializer serializer = SerializerFactory.createSerializer(schema, format, true);
+                serializer.setPrettyPrinting(true);
+                String reserializedContent = serializer.writeToString((SVIPSBOM) sbomObject);
+                
+                String newName = (sbomObject.getName() != null ? sbomObject.getName() : "merged-sbom") + "-" + schema + "-" + format;
+                UploadSBOMFileInput input = new UploadSBOMFileInput(newName, reserializedContent);
+                SBOMFile reserialized = input.toSBOMFile();
+                
+                // Delete old merged SBOM and save new one
+                sbomService.deleteSBOMFile(mergedSbom);
+                sbomService.upload(reserialized);
+                convertedID = reserialized.getId();
+                LOGGER.info("POST /svip/generators/osi - Successfully re-serialized to id {}", convertedID);
+            }
+        } catch (Exception e) {
+            // Failed to re-serialize
+            LOGGER.error("POST /svip/generators/osi - Failed to re-serialize - " + e.getMessage());
             return new ResponseEntity<>(e.getMessage(), HttpStatus.INTERNAL_SERVER_ERROR);
         }
 
         // RE-ADD VULNERABILITIES AFTER MERGE (merge strips them)
         if (!allVulnerabilities.isEmpty() && vulnerabilityScanService.isEnabled()) {
             try {
-                LOGGER.info("POST /svip/generators/osi - Re-adding {} vulnerabilities to merged SBOM", allVulnerabilities.size());
                 SBOMFile mergedSbom = sbomService.getSBOMFile(convertedID);
                 if (mergedSbom != null) {
-                    JsonNode sbomJson = new ObjectMapper().readTree(mergedSbom.getContent());
-                    
+                    ObjectMapper mapper = new ObjectMapper();
+                    JsonNode sbomJson = mapper.readTree(mergedSbom.getContent());
+                    List<JsonNode> remappedVulnerabilities = vulnerabilityScanService.remapVulnerabilityReferences(sbomJson, allVulnerabilities);
+                    allVulnerabilities = new ArrayList<>(remappedVulnerabilities);
+
+                    LOGGER.info("POST /svip/generators/osi - Re-adding {} vulnerabilities to merged SBOM", allVulnerabilities.size());
+
                     @SuppressWarnings("unchecked")
-                    Map<String, Object> sbomMap = new ObjectMapper().convertValue(sbomJson, Map.class);
+                    Map<String, Object> sbomMap = mapper.convertValue(sbomJson, Map.class);
                     sbomMap.put("vulnerabilities", allVulnerabilities);
 
-                    String enrichedContent = new ObjectMapper().writerWithDefaultPrettyPrinter()
-                                                              .writeValueAsString(sbomMap);
+                    String enrichedContent = mapper.writerWithDefaultPrettyPrinter()
+                                                   .writeValueAsString(sbomMap);
 
                     // Update with enriched content
                     mergedSbom.setContent(enrichedContent);
@@ -382,4 +409,23 @@ public ResponseEntity<?> generateWithOSI(@RequestParam("projectName") String pro
         return new ResponseEntity<>(convertedID, HttpStatus.OK);
     }
 
+    private boolean matchesRequestedFormat(SBOMFile file, SerializerFactory.Schema schema, SerializerFactory.Format format) {
+        SBOMFile.Schema expectedSchema = switch (schema) {
+            case CDX14 -> SBOMFile.Schema.CYCLONEDX_14;
+            case SPDX23 -> SBOMFile.Schema.SPDX_23;
+            default -> null;
+        };
+
+        SBOMFile.FileType expectedType = switch (format) {
+            case JSON -> SBOMFile.FileType.JSON;
+            case XML -> SBOMFile.FileType.XML;
+            case TAGVALUE -> SBOMFile.FileType.TAG_VALUE;
+        };
+
+        return expectedSchema != null
+                && expectedType != null
+                && file.getSchema() == expectedSchema
+                && file.getFileType() == expectedType;
+    }
+
 }

api/src/main/java/org/svip/api/services/OSIService.java

@@ -140,7 +140,7 @@ public HashMap<String, String> generateSBOMs(List<String> toolNames) throws IOEx
             // Convert osi json string into map. Increase max string length to support large base64 bodies
             JsonFactory factory = JsonFactory.builder()
                     .streamReadConstraints(StreamReadConstraints.builder()
-                            .maxStringLength(100_000_000) // 100MB, higher than default 20MB
+                            .maxStringLength(500_000_000) // 500MB, increased from 100MB to handle very large SBOMs
                             .build())
                     .build();
             ObjectMapper mapper = new ObjectMapper(factory);

api/src/main/java/org/svip/api/services/SBOMFileService.java

@@ -259,17 +259,15 @@ public Long merge(Long[] ids) throws Exception {
             throw new Exception("Error merging SBOMs: " + e.getMessage());
         }
 
-        SerializerFactory.Schema schema = SerializerFactory.Schema.SPDX23;
+        SerializerFactory.Schema schema = SerializerFactory.Schema.CDX14;
 
         // serialize merged SBOM
-        Serializer s = SerializerFactory.createSerializer(schema, SerializerFactory.Format.TAGVALUE, // todo default to
-                // SPDX JSON for
-                // now?
-                true);
+        Serializer s = SerializerFactory.createSerializer(schema, SerializerFactory.Format.JSON, true);
         s.setPrettyPrinting(true);
         String contents;
         try {
-            contents = s.writeToString((SVIPSBOM) merged);
+            org.svip.sbom.model.interfaces.generics.SBOM mergedForSchema = Conversion.convert(merged, SerializerFactory.Schema.SVIP, schema);
+            contents = s.writeToString((SVIPSBOM) mergedForSchema);
         } catch (JsonProcessingException | ClassCastException e) {
             throw new Exception("Error deserializing merged SBOM: " + e.getMessage());
         }