Circularity in dependencies

[JimFuller-RedHat]

Both spdx and cyclonedx allow circular dependencies to be defined.

For example, we can create a circularity by pointing the following components as so:

• A depends on B
• B depends on C
• C depends on A

Circular dependencies are valid and possible in well written libraries/applications (but hopefully quite rare in practice) ... how do we want the analysis graph to handle ? Do we even want to be able to ingest such sboms into analysis graphs ?

Today we are allowing such circularity and we can put in guard rails to avoid any sboms graphs with such constructs ... alternately we could come up with a json representation for these (infinite recursion is not an option ;) ) ... what might that look like (and still be useful) ?