Direct dependencies missing if package is used as both direct and transitive dependency

[rogu-beta]

Describe the bug
The dependency graph gathered from load_sbom does not accurately represent what is contained within the SBOM. If a package is both a direct dependency and transitive dependency at the same time, the listing will only show the package as a transitive dependency.

In the example given below, the package pkg:npm/%40angular/animations@18.2.9 is both a dependency to the global dejacode-demo representing the project and the package pkg:npm/@angular/material@18.2.9. This can be seen in the section:

"dependencies": [
        {
            "ref": "pkg:npm/dejacode-demo",
            "dependsOn": [
                "pkg:npm/@angular/animations@18.2.9",
                "pkg:npm/@angular/common@18.2.9",
                "pkg:npm/@angular/compiler@18.2.9",
                "pkg:npm/@angular/core@18.2.9",
                "pkg:npm/@angular/forms@18.2.9",
                "pkg:npm/@angular/material@18.2.9",
                "pkg:npm/@angular/platform-browser-dynamic@18.2.9",
                "pkg:npm/@angular/platform-browser@18.2.9",
                "pkg:npm/@angular/router@18.2.9",
                "pkg:npm/@jsverse/transloco@7.6.1",
                "pkg:npm/@ngrx/effects@18.1.1",
                "pkg:npm/@ngrx/store@18.1.1",
                "pkg:npm/ngx-echarts@19.0.0",
                "pkg:npm/ngx-toastr@17.0.2",
                "pkg:npm/tslib@2.8.1"
            ]
        },

{
            "ref": "pkg:npm/@angular/material@18.2.9",
            "dependsOn": [
                "pkg:npm/@angular/animations@18.2.9",
                "pkg:npm/@angular/cdk@18.2.9",
                "pkg:npm/@angular/common@18.2.9",
                "pkg:npm/@angular/core@18.2.9",
                "pkg:npm/@angular/forms@18.2.9",
                "pkg:npm/@angular/platform-browser@18.2.9",
                "pkg:npm/rxjs@7.8.2",
                "pkg:npm/tslib@2.8.1"
            ]
        },

However, the result in ScanCode.io only shows pkg:npm/@angular/animations@18.2.9 as a dependency of pkg:npm/@angular/material@18.2.9.

System configuration

• ScanCode.io 35.4.0
• Running with custom Helm deployment
• Linux
• Using the following SBOM as input: 2025-10-23-deps-graph-debug-sbom-import.json
• Using load_sbom as pipeline

To Reproduce
Steps to reproduce the behavior:

1. Create a new project in ScanCode.io
2. Upload the SBOM file
3. Select load_sbom as pipeline
4. Run the pipeline
5. Once the job has completed open the dependencies
6. Search for pkg:npm/@angular/animations@18.2.9 and notice that there is only one occurrence in the tree

Expected behavior
The tree should accurately represent all dependency relationships found in the SBOM

Screenshots

[rogu-beta]

Requesting the data available via the API, it seems that direct dependencies are not retained at all. It only stores relations between packages/components in pairs, excluding the root component. The tree seems to be a reconstruction based on the data and thus misses direct dependencies. Representing the full data correctly is required should DejaCode want to properly export the SBOM with the right dependency graph.

[Monal-Reddy]

From looking into the SBOM loading path, it seems that package-package dependencies are created reliably, but project-level dependencies (for_package=None) are not consistently created.

In particular, get_dependencies_from_manifest() extracts dependency data without preserving root/project context, while create_dependencies_from_packages_extra_data() focuses on creating package→package relationships. When a package is both a direct dependency of the project and a transitive dependency of another package, the project-package relationship is therefore lost, and the package only appears as transitive.

This seems to explain why direct dependencies disappear in this scenario. I’m happy to work on a fix if this understanding is correct.

[Monal-Reddy]

I’ve opened a PR that addresses this issue by preserving project-level
dependencies originating from SPDXRef-DOCUMENT:

#2035

[rogu-beta]

@Monal-Reddy Thank you for working on this. In my case I was working with CycloneDX SBOMs, so this would have to be addressed for those as well. In general any work on this needs to be coordinated with DejaCode development though, as changes to the data structure would likely break compatibility with it unless they prepare to ingest the adapted data.

[Monal-Reddy]

Got it, thanks for the context!! will be happy to continue working on this under a maintainer's guidance.