fix(sbom): export bom-ref when converting a package to a component

[afdesk]

Description

Reproduction Steps

$ wget https://pastebin.com/raw/iD0PiatU
$ trivy sbom --format cyclonedx --scanners vuln iD0PiatU

Before:

      "affects": [
        {
          "ref": "ca36a16f-8acd-4d6a-b9d9-6e9e265bc0d8",
          "versions": [
            {
              "version": "227",
              "status": "affected"
            }
          ]

After:

"affects": [
        {
          "ref": "pkg:pypi/pywin32@227",
          "versions": [
            {
              "version": "227",
              "status": "affected"
            }
          ]
        }
      ]

Related issues

• Close Unmatched Vulnerabilities.affects.ref when scanning CycloneDX sbom with duplicate Purls #7337

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[knqyf263]

We don't include file paths in PURL anymore. If it remains somewhere, it should be deleted.

[afdesk]

ok, I'm removing it

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ afdesk
❌ amf

---

amf seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[knqyf263]

We should add a new test to ensure original BOM-Refs are kept as-is. In the existing test, the input is SBOM, but the output is Trivy JSON.

trivy/integration/sbom_test.go

Lines 51 to 59 in 6a72dd4

	{
	name: "fluentd-multiple-lockfiles cyclonedx",
	args: args{
	input: "testdata/fixtures/sbom/fluentd-multiple-lockfiles-cyclonedx.json",
	format: "json",
	artifactType: "cyclonedx",
	},
	golden: "testdata/fluentd-multiple-lockfiles.json.golden",
	},

[afdesk]

We should add a new test to ensure original BOM-Refs are kept as-is.

The testcase is added now.

[knqyf263]

Can we re-use the existing json, fluentd-multiple-lockfiles-cyclonedx.json? You can change this file to use UUID in BOM-Ref.

[afdesk]

the testcase is updated fluentd-multiple-lockfiles-cyclonedx.json.
I wanted to use fluentd-multiple-lockfiles.cdx.json.golden also, but this cdx result is a large, because it's result for fluentd-multiple-lockfiles.tar.gz. fluentd-multiple-lockfiles-cyclonedx.json is shorter.
so I've created a new golden file.

[DmitriyLewen]

@afdesk I may have found another issue (maybe for another PR):
File iD0PiatU contains 2 same packages with different BOMRefs.
Should we show 2 BOMrefs in affects array:
something like that:

"affects": [
        {
          "ref": "pkg:pypi/pywin32@227",
          "versions": [
            {
              "version": "227",
              "status": "affected"
            }
          ]
        }
        {
          "ref": "de3ojve0eoj0j0je",
          "versions": [
            {
              "version": "227",
              "status": "affected"
            }
          ]
        }
      ]

[DmitriyLewen]

input and output bomrefs for OS are not equial:

trivy/integration/testdata/fixtures/sbom/fluentd-multiple-lockfiles-cyclonedx.json

Lines 107 to 110 in bfdf5cf

	"bom-ref": "353f2470-9c8b-4647-9d0d-96d893838dc8",
	"type": "operating-system",
	"name": "debian",
	"version": "10.2",

[afdesk]

Now Trivy builds new SBOM components from the result:

trivy/pkg/sbom/io/encode.go

Line 260 in 98e136e

func (e *Encoder) resultComponent(root *core.Component, r types.Result, osFound *ftypes.OS) *core.Component {

to keep existing BOM-refs we should look for this one (if report.BOM != nil) by name and save it.
it matters for non-root and non-child components.

if we don't want to use this logic I can see 2 options:

1. we don't keep intermediate BOM-refs. because these ones are generated UUIDs.
   Trivy still updates them for empty BOM-refs.

2. we don't encode a result into a new BOM report, and keep existing BOM.
   just will add vuln fieldsL:
   SBOM -> Trivy -> the same SBOM+ vulnerability list.

@knqyf263 @DmitriyLewen wdyt? thanks

[DmitriyLewen]

to keep existing BOM-refs we should look for this one (if report.BOM != nil) by name and save it.
it matters for non-root and non-child components.

I think we can try to use this way.
But we need to save operating-system here:

trivy/pkg/sbom/io/decode.go

Lines 120 to 136 in 98e136e

	case core.TypeOS:
	if m.osID != uuid.Nil {
	onceMultiOSWarn()
	continue
	}
	m.osID = id
	sbom.Metadata.OS = &ftypes.OS{
	Family: ftypes.OSType(c.Name),
	Name: c.Version,
	}
	continue
	case core.TypeApplication:
	if app := m.decodeApplication(c); app.Type != "" {
	m.apps[id] = app
	continue
	}
	}

we don't keep intermediate BOM-refs.

Do you mean BOMrefs for #2?

trivy/pkg/sbom/io/encode.go

Lines 160 to 173 in 98e136e

	// Container component (alpine:3.15) --------------------- #1
	// -> Operating System Component (Alpine Linux 3.15) --- #2
	// -> Library component (bash-4.12) ------------------ #3
	// -> Library component (vim-8.2) ------------------ #3
	// -> etc.
	//
	// Else if a package is language-specific package associated with a lock file,
	// it will be a dependency of "Application" component.
	// e.g.
	// Container component (alpine:3.15) ------------------------ #1
	// -> Application component (/app/package-lock.json) ------ #2
	// -> Library component (npm package, express-4.17.3) --- #3
	// -> Library component (npm package, lodash-4.17.21) --- #3
	// -> etc.

we don't encode a result into a new BOM report, and keep existing BOM.
just will add vuln fieldsL:
SBOM -> Trivy -> the same SBOM+ vulnerability list.

I am not sure about this.
This will be work with Trivy reports, but we may see problem with SBOM files from other sources.

[afdesk]

Do you mean BOMrefs for #2?

yes, for Application component (/app/package-lock.json)

[afdesk]

@DmitriyLewen could you take a look? thanks

[DmitriyLewen]

Looks like we can remove this

[afdesk]

it seems that no, we have to allocate memory

[afdesk]

updated

[DmitriyLewen]

IIRC we correctly store BomRefs for the Root component and packages.
Do we need this check for all types? maybe we can do this check only for Application and OperatingSystem types?

[afdesk]

done

[DmitriyLewen]

LGTM

@knqyf263 take a look, when you have time

[knqyf263]

I have refactored. @DmitriyLewen @afdesk Can you please take a look?