Drop support for raw_dict initialization #447
Description
🧪 Investigate test_cli.py Use of Raw Dict SBOM Input
Currently, test_cli.py constructs a malformed SBOM using a raw dictionary:
bad_sbom = SBOM({...})This raw dict form requires fallback parsing logic inside the SBOM.__post_init__ method:
https://github.com/LLNL/Surfactant/blob/10e89bc03a6f71caef8638bd2d51de36a01d5ba1/surfactant/sbomtypes/_sbom.py#L67-L122
That code attempts to detect if the input was a dict by checking:
if isinstance(self.systems, dict) and not self.hardware and not self.software:It then zeroes out all the default containers and performs a custom rehydration of systems, hardware, software, relationships, etc. This logic was introduced in PR #433 and exists solely to make the bad_sbom test pass.
❌ Why This Is Problematic
- Unclear contract: Constructing
SBOM(raw_dict)implies support for a dict constructor signature that isn't advertised or robust. - Tight coupling: Unit test behavior now relies on internal implementation quirks (
__post_init__behavior). - Rehydration risk: The fallback code path only applies if
hardware,software, etc. are unset, making it brittle and potentially dangerous if partial containers exist. - Non-portable tests: This usage breaks when stricter schema validation or type enforcement is added to
SBOM.
✅ Suggested Fix
-
Refactor
test_cli.pyto avoid creating SBOMs via dict fallback. Instead, construct malformed SBOMs via:SBOM.from_json(bad_json)for malformed inputSBOM(software=[Software(..., extra_field=...)])using valid constructors with bad fields
-
Remove or isolate the fallback rehydration block in
SBOM.__post_init__if it’s no longer required outside tests.
🔧 Acceptance Criteria
-
bad_sbomis constructed using a valid constructor or deserializer - Tests still validate failure handling for malformed input
- The dict rehydration path in
__post_init__(_sbom.py#L67-L122) is removed entirely