fix(sbom): use original BOM-Refs

Signed-off-by: knqyf263 <[email protected]>
aquasecurity · Mar 1, 2024 · d3f5b6e · d3f5b6e
1 parent b685508
commit d3f5b6e
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/integration/testdata/fluentd-multiple-lockfiles.json.golden b/integration/testdata/fluentd-multiple-lockfiles.json.golden
@@ -165,7 +165,7 @@
           "PkgPath": "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec",
           "PkgIdentifier": {
             "PURL": "pkg:gem/[email protected]",
-            "BOMRef": "pkg:gem/[email protected]"
+            "BOMRef": "pkg:gem/[email protected]?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Factivesupport-6.0.2.1.gemspec"
           },
           "InstalledVersion": "6.0.2.1",
           "FixedVersion": "6.0.3.1, 5.2.4.3",

diff --git a/pkg/sbom/core/bom.go b/pkg/sbom/core/bom.go
@@ -271,6 +271,9 @@ func (b *BOM) NumComponents() int {
 // When multiple lock files have the same dependency with the same name and version, PURL in the BOM can conflict.
 // In that case, PURL cannot be used as a unique identifier, and UUIDv4 be used for BOMRef.
 func (b *BOM) bomRef(c *Component) string {
+	if c.PkgID.BOMRef != "" {
+		return c.PkgID.BOMRef
+	}
 	// Return the UUID of the component if the PURL is not present.
 	if c.PkgID.PURL == nil {
 		return c.id.String()