diff --git a/pkg/fanal/types/package.go b/pkg/fanal/types/package.go
index 0836c7978967..ff3d8b704a2c 100644
--- a/pkg/fanal/types/package.go
+++ b/pkg/fanal/types/package.go
@@ -56,7 +56,8 @@ func (r *Relationship) UnmarshalJSON(data []byte) error {
 type PkgIdentifier struct {
 	UID    string                 `json:",omitempty"` // Calculated by the package struct
 	PURL   *packageurl.PackageURL `json:"-"`
-	BOMRef string                 `json:",omitempty"` // From SBOM file: `component.BOMRef` or `package.SPDXID`
+	BOMRef string                 `json:",omitempty"` // For CycloneDX
+	SPDXID string                 `json:",omitempty"` // For SPDX
 }
 
 // MarshalJSON customizes the JSON encoding of PkgIdentifier.
diff --git a/pkg/sbom/core/bom.go b/pkg/sbom/core/bom.go
index 9e60bfe083ab..7ff0a53968ec 100644
--- a/pkg/sbom/core/bom.go
+++ b/pkg/sbom/core/bom.go
@@ -133,6 +133,9 @@ type Component struct {
 	//   SPDX: package.externalRefs.referenceLocator
 	// BOMRef:
 	//   CycloneDX: component.bom-ref
+	//   SPDX: N/A
+	// SPDXID:
+	//   CycloneDX: N/A
 	//   SPDX: package.SPDXID
 	PkgIdentifier ftypes.PkgIdentifier
 
diff --git a/pkg/sbom/io/decode.go b/pkg/sbom/io/decode.go
index 8c8d278d2211..38375ddbfc95 100644
--- a/pkg/sbom/io/decode.go
+++ b/pkg/sbom/io/decode.go
@@ -152,7 +152,12 @@ func (m *Decoder) selectOS(osComponents []*core.Component, sbom *types.SBOM) {
 		if numberOfIPkgs != numberOfJPkgs {
 			return numberOfIPkgs < numberOfJPkgs
 		}
-		return osComponents[i].PkgIdentifier.BOMRef < osComponents[j].PkgIdentifier.BOMRef
+		// For CycloneDX
+		if osComponents[i].PkgIdentifier.BOMRef != "" || osComponents[j].PkgIdentifier.BOMRef != "" {
+			return osComponents[i].PkgIdentifier.BOMRef < osComponents[j].PkgIdentifier.BOMRef
+		}
+		// For SPDX
+		return osComponents[i].PkgIdentifier.SPDXID < osComponents[j].PkgIdentifier.SPDXID
 	})
 
 	if len(osComponents) > 1 {
@@ -244,6 +249,7 @@ func (m *Decoder) decodeLibrary(c *core.Component) (*ftypes.Package, error) {
 	}
 
 	pkg.Identifier.BOMRef = c.PkgIdentifier.BOMRef
+	pkg.Identifier.SPDXID = c.PkgIdentifier.SPDXID
 	pkg.Licenses = c.Licenses
 
 	for _, f := range c.Files {
diff --git a/pkg/sbom/spdx/unmarshal.go b/pkg/sbom/spdx/unmarshal.go
index 250fa0144b05..dd8085d1fe0b 100644
--- a/pkg/sbom/spdx/unmarshal.go
+++ b/pkg/sbom/spdx/unmarshal.go
@@ -166,7 +166,7 @@ func (s *SPDX) parsePackage(spdxPkg spdx.Package) (*core.Component, error) {
 		Name:    spdxPkg.PackageName,
 		Version: spdxPkg.PackageVersion,
 		PkgIdentifier: types.PkgIdentifier{
-			BOMRef: string(spdxPkg.PackageSPDXIdentifier),
+			SPDXID: string(spdxPkg.PackageSPDXIdentifier),
 		},
 	}