fix(sbom): use original BOM-Refs

Signed-off-by: knqyf263 <[email protected]>
aquasecurity · Mar 1, 2024 · 64a9b14 · 64a9b14
1 parent b685508
commit 64a9b14
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 42 deletions.
diff --git a/integration/testdata/fluentd-multiple-lockfiles.json.golden b/integration/testdata/fluentd-multiple-lockfiles.json.golden
@@ -165,7 +165,7 @@
           "PkgPath": "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec",
           "PkgIdentifier": {
             "PURL": "pkg:gem/[email protected]",
-            "BOMRef": "pkg:gem/[email protected]"
+            "BOMRef": "pkg:gem/[email protected]?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Factivesupport-6.0.2.1.gemspec"
           },
           "InstalledVersion": "6.0.2.1",
           "FixedVersion": "6.0.3.1, 5.2.4.3",

diff --git a/pkg/fanal/artifact/sbom/sbom_test.go b/pkg/fanal/artifact/sbom/sbom_test.go
@@ -30,7 +30,7 @@ func TestArtifact_Inspect(t *testing.T) {
 			filePath: filepath.Join("testdata", "bom.json"),
 			putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
 				Args: cache.ArtifactCachePutBlobArgs{
-					BlobID: "sha256:3de8fe6730ed2f43d18ee0189ed2d87fd99388f93f75a8dd6beb3dd35ce79cd1",
+					BlobID: "sha256:f6d4bf4edf2818010ef009b6cd0f837c94dac3464d99e665470c8d05648478e3",
 					BlobInfo: types.BlobInfo{
 						SchemaVersion: types.BlobJSONSchemaVersion,
 						OS: types.OS{
@@ -152,7 +152,8 @@ func TestArtifact_Inspect(t *testing.T) {
 												Name:      "child-project",
 												Version:   "1.0",
 											},
-											BOMRef: "pkg:maven/org.codehaus.mojo/[email protected]",
+											// Keep the original value
+											BOMRef: "pkg:maven/org.codehaus.mojo/[email protected]?file_path=app%2Fmaven%2Ftarget%2Fchild-project-1.0.jar",
 										},
 									},
 								},
@@ -176,7 +177,8 @@ func TestArtifact_Inspect(t *testing.T) {
 												Name:    "bootstrap",
 												Version: "5.0.2",
 											},
-											BOMRef: "pkg:npm/[email protected]",
+											// Keep the original value
+											BOMRef: "pkg:npm/[email protected]?file_path=app%2Fapp%2Fpackage.json",
 										},
 									},
 								},
@@ -189,9 +191,9 @@ func TestArtifact_Inspect(t *testing.T) {
 			want: types.ArtifactReference{
 				Name: filepath.Join("testdata", "bom.json"),
 				Type: types.ArtifactCycloneDX,
-				ID:   "sha256:3de8fe6730ed2f43d18ee0189ed2d87fd99388f93f75a8dd6beb3dd35ce79cd1",
+				ID:   "sha256:f6d4bf4edf2818010ef009b6cd0f837c94dac3464d99e665470c8d05648478e3",
 				BlobIDs: []string{
-					"sha256:3de8fe6730ed2f43d18ee0189ed2d87fd99388f93f75a8dd6beb3dd35ce79cd1",
+					"sha256:f6d4bf4edf2818010ef009b6cd0f837c94dac3464d99e665470c8d05648478e3",
 				},
 			},
 		},
@@ -200,7 +202,7 @@ func TestArtifact_Inspect(t *testing.T) {
 			filePath: filepath.Join("testdata", "sbom.cdx.intoto.jsonl"),
 			putBlobExpectation: cache.ArtifactCachePutBlobExpectation{
 				Args: cache.ArtifactCachePutBlobArgs{
-					BlobID: "sha256:3de8fe6730ed2f43d18ee0189ed2d87fd99388f93f75a8dd6beb3dd35ce79cd1",
+					BlobID: "sha256:f6d4bf4edf2818010ef009b6cd0f837c94dac3464d99e665470c8d05648478e3",
 					BlobInfo: types.BlobInfo{
 						SchemaVersion: types.BlobJSONSchemaVersion,
 						OS: types.OS{
@@ -318,7 +320,8 @@ func TestArtifact_Inspect(t *testing.T) {
 												Name:      "child-project",
 												Version:   "1.0",
 											},
-											BOMRef: "pkg:maven/org.codehaus.mojo/[email protected]",
+											// Keep the original value
+											BOMRef: "pkg:maven/org.codehaus.mojo/[email protected]?file_path=app%2Fmaven%2Ftarget%2Fchild-project-1.0.jar",
 										},
 										Layer: types.Layer{
 											DiffID: "sha256:3c79e832b1b4891a1cb4a326ef8524e0bd14a2537150ac0e203a5677176c1ca1",
@@ -341,7 +344,8 @@ func TestArtifact_Inspect(t *testing.T) {
 												Name:    "bootstrap",
 												Version: "5.0.2",
 											},
-											BOMRef: "pkg:npm/[email protected]",
+											// Keep the original value
+											BOMRef: "pkg:npm/[email protected]?file_path=app%2Fapp%2Fpackage.json",
 										},
 										Licenses: []string{"MIT"},
 										Layer: types.Layer{
@@ -359,9 +363,9 @@ func TestArtifact_Inspect(t *testing.T) {
 			want: types.ArtifactReference{
 				Name: filepath.Join("testdata", "sbom.cdx.intoto.jsonl"),
 				Type: types.ArtifactCycloneDX,
-				ID:   "sha256:3de8fe6730ed2f43d18ee0189ed2d87fd99388f93f75a8dd6beb3dd35ce79cd1",
+				ID:   "sha256:f6d4bf4edf2818010ef009b6cd0f837c94dac3464d99e665470c8d05648478e3",
 				BlobIDs: []string{
-					"sha256:3de8fe6730ed2f43d18ee0189ed2d87fd99388f93f75a8dd6beb3dd35ce79cd1",
+					"sha256:f6d4bf4edf2818010ef009b6cd0f837c94dac3464d99e665470c8d05648478e3",
 				},
 			},
 		},

diff --git a/pkg/sbom/core/bom.go b/pkg/sbom/core/bom.go
@@ -271,6 +271,9 @@ func (b *BOM) NumComponents() int {
 // When multiple lock files have the same dependency with the same name and version, PURL in the BOM can conflict.
 // In that case, PURL cannot be used as a unique identifier, and UUIDv4 be used for BOMRef.
 func (b *BOM) bomRef(c *Component) string {
+	if c.PkgID.BOMRef != "" {
+		return c.PkgID.BOMRef
+	}
 	// Return the UUID of the component if the PURL is not present.
 	if c.PkgID.PURL == nil {
 		return c.id.String()

diff --git a/pkg/sbom/cyclonedx/marshal_test.go b/pkg/sbom/cyclonedx/marshal_test.go
@@ -24,11 +24,25 @@ import (
 )
 
 func TestMarshaler_MarshalReport(t *testing.T) {
+	testSBOM := core.NewBOM()
+	testSBOM.AddComponent(&core.Component{
+		Root: true,
+		Type: core.TypeApplication,
+		Name: "jackson-databind-2.13.4.1.jar",
+		PkgID: core.PkgID{
+			BOMRef: "aff65b54-6009-4c32-968d-748949ef46e8",
+		},
+		Properties: []core.Property{
+			{
+				Name:  "SchemaVersion",
+				Value: "2",
+			},
+		},
+	})
 
 	tests := []struct {
 		name        string
 		inputReport types.Report
-		sbom        bool
 		want        *cdx.BOM
 	}{
 		{
@@ -1500,14 +1514,14 @@ func TestMarshaler_MarshalReport(t *testing.T) {
 						},
 					},
 				},
+				BOM: testSBOM,
 			},
-			sbom: true,
 			want: &cdx.BOM{
 				XMLNS:        "http://cyclonedx.org/schema/bom/1.5",
 				BOMFormat:    "CycloneDX",
 				SpecVersion:  cdx.SpecVersion1_5,
 				JSONSchema:   "http://cyclonedx.org/schema/bom-1.5.schema.json",
-				SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000003",
+				SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000002",
 				Version:      1,
 				Metadata: &cdx.Metadata{
 					Timestamp: "2021-08-25T12:20:30+00:00",
@@ -1522,7 +1536,7 @@ func TestMarshaler_MarshalReport(t *testing.T) {
 						},
 					},
 					Component: &cdx.Component{
-						BOMRef: "3ff14136-e09f-4df9-80ea-000000000001",
+						BOMRef: "aff65b54-6009-4c32-968d-748949ef46e8", // The original bom-ref is used
 						Type:   cdx.ComponentTypeApplication,
 						Name:   "jackson-databind-2.13.4.1.jar",
 						Properties: &[]cdx.Property{
@@ -1598,7 +1612,7 @@ func TestMarshaler_MarshalReport(t *testing.T) {
 				},
 				Dependencies: &[]cdx.Dependency{
 					{
-						Ref: "3ff14136-e09f-4df9-80ea-000000000001",
+						Ref: "aff65b54-6009-4c32-968d-748949ef46e8",
 						Dependencies: &[]string{
 							"pkg:maven/com.fasterxml.jackson.core/[email protected]",
 						},
@@ -2076,32 +2090,10 @@ func TestMarshaler_MarshalReport(t *testing.T) {
 			ctx := clock.With(context.Background(), time.Date(2021, 8, 25, 12, 20, 30, 5, time.UTC))
 			uuid.SetFakeUUID(t, "3ff14136-e09f-4df9-80ea-%012d")
 
-			if tt.sbom {
-				tt.inputReport.BOM = testsBOM()
-			}
 			marshaler := cyclonedx.NewMarshaler("dev")
 			got, err := marshaler.MarshalReport(ctx, tt.inputReport)
 			require.NoError(t, err)
 			assert.Equal(t, tt.want, got)
 		})
 	}
 }
-
-func testsBOM() *core.BOM {
-	testSBOM := core.NewBOM()
-	testSBOM.AddComponent(&core.Component{
-		Root: true,
-		Type: core.TypeApplication,
-		Name: "jackson-databind-2.13.4.1.jar",
-		PkgID: core.PkgID{
-			BOMRef: "aff65b54-6009-4c32-968d-748949ef46e8",
-		},
-		Properties: []core.Property{
-			{
-				Name:  "SchemaVersion",
-				Value: "2",
-			},
-		},
-	})
-	return testSBOM
-}
diff --git a/pkg/sbom/cyclonedx/unmarshal_test.go b/pkg/sbom/cyclonedx/unmarshal_test.go
@@ -173,7 +173,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 										Name:      "child-project",
 										Version:   "1.0",
 									},
-									BOMRef: "pkg:maven/org.codehaus.mojo/[email protected]",
+									BOMRef: "pkg:maven/org.codehaus.mojo/[email protected]?file_path=app%2Fmaven%2Ftarget%2Fchild-project-1.0.jar",
 								},
 								Version: "1.0",
 								Layer: ftypes.Layer{
@@ -198,7 +198,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 										Name:      "bootstrap",
 										Version:   "5.0.2",
 									},
-									BOMRef: "pkg:npm/%40example/[email protected]",
+									BOMRef: "pkg:npm/@example/[email protected]?file_path=app%2Fapp%2Fpackage.json",
 								},
 								Licenses: []string{"MIT"},
 								Layer: ftypes.Layer{
@@ -416,7 +416,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 											},
 										},
 									},
-									BOMRef: "pkg:deb/ubuntu/[email protected]?distro=ubuntu-22.04&epoch=1",
+									BOMRef: "pkg:deb/ubuntu/[email protected]?epoch=1&distro=ubuntu-22.04",
 								},
 								DependsOn: []string{
 									"[email protected]",
@@ -658,7 +658,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 										Name:      "spring-web",
 										Version:   "5.3.22",
 									},
-									BOMRef: "pkg:maven/org.springframework/[email protected]",
+									BOMRef: "pkg:maven/org.springframework/[email protected]?file_path=spring-web-5.3.22.jar",
 								},
 								FilePath: "spring-web-5.3.22.jar",
 							},