Merge branch 'main' into command-package-refactor

* main: Preserve syft IDs on SBOM decode (#963) Update GitHub format package_url and correlator (#961)
anchore · Apr 19, 2022 · c78c1bf · c78c1bf
2 parents a9f96fe + 172ecc0
commit c78c1bf
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 9 deletions.
diff --git a/internal/formats/github/encoder.go b/internal/formats/github/encoder.go
@@ -130,7 +130,7 @@ func toGithubManifests(s *sbom.SBOM) Manifests {
 
 		name := dependencyName(p)
 		manifest.Resolved[name] = DependencyNode{
-			Purl:         p.PURL,
+			PackageURL:   p.PURL,
 			Metadata:     toDependencyMetadata(p),
 			Relationship: toDependencyRelationshipType(p),
 			Scope:        toDependencyScope(p),

diff --git a/internal/formats/github/encoder_test.go b/internal/formats/github/encoder_test.go
@@ -104,12 +104,12 @@ func Test_toGithubModel(t *testing.T) {
 				},
 				Resolved: DependencyGraph{
 					"pkg:generic/pkg-1@1.0.1": DependencyNode{
-						Purl:         "pkg:generic/pkg-1@1.0.1",
+						PackageURL:   "pkg:generic/pkg-1@1.0.1",
 						Scope:        DependencyScopeRuntime,
 						Relationship: DependencyRelationshipDirect,
 					},
 					"pkg:generic/pkg-2@2.0.2": DependencyNode{
-						Purl:         "pkg:generic/pkg-2@2.0.2",
+						PackageURL:   "pkg:generic/pkg-2@2.0.2",
 						Scope:        DependencyScopeRuntime,
 						Relationship: DependencyRelationshipDirect,
 					},
@@ -125,7 +125,7 @@ func Test_toGithubModel(t *testing.T) {
 				},
 				Resolved: DependencyGraph{
 					"pkg:generic/pkg-3@3.0.3": DependencyNode{
-						Purl:         "pkg:generic/pkg-3@3.0.3",
+						PackageURL:   "pkg:generic/pkg-3@3.0.3",
 						Scope:        DependencyScopeRuntime,
 						Relationship: DependencyRelationshipDirect,
 					},

diff --git a/internal/formats/github/github_dependency_api.go b/internal/formats/github/github_dependency_api.go
@@ -14,9 +14,9 @@ type DependencySnapshot struct {
 }
 
 type Job struct {
-	Name    string `json:"name,omitempty"` // !omitempty
-	ID      string `json:"id,omitempty"`   // !omitempty
-	HTMLURL string `json:"html_url,omitempty"`
+	Correlator string `json:"correlator,omitempty"` // !omitempty
+	ID         string `json:"id,omitempty"`         // !omitempty
+	HTMLURL    string `json:"html_url,omitempty"`
 }
 
 type DetectorMetadata struct {
@@ -62,7 +62,7 @@ const (
 )
 
 type DependencyNode struct {
-	Purl         string                 `json:"purl,omitempty"`
+	PackageURL   string                 `json:"package_url,omitempty"`
 	Metadata     Metadata               `json:"metadata,omitempty"`
 	Relationship DependencyRelationship `json:"relationship,omitempty"`
 	Scope        DependencyScope        `json:"scope,omitempty"`

diff --git a/internal/formats/syftjson/to_syft_model.go b/internal/formats/syftjson/to_syft_model.go
@@ -177,8 +177,12 @@ func toSyftPackage(p model.Package, idAliases map[string]string) pkg.Package {
 		Metadata:     p.Metadata,
 	}
 
-	out.SetID()
+	// we don't know if this package ID is truly unique, however, we need to trust the user input in case there are
+	// external references to it. That is, we can't derive our own ID (using pkg.SetID()) since consumers won't
+	// be able to historically interact with data that references the IDs from the original SBOM document being decoded now.
+	out.OverrideID(artifact.ID(p.ID))
 
+	// this alias mapping is currently defunct, but could be useful in the future.
 	id := string(out.ID())
 	if id != p.ID {
 		idAliases[p.ID] = id

diff --git a/syft/pkg/package.go b/syft/pkg/package.go
@@ -28,6 +28,10 @@ type Package struct {
 	Metadata     interface{}        // additional data found while parsing the package source
 }
 
+func (p *Package) OverrideID(id artifact.ID) {
+	p.id = id
+}
+
 func (p *Package) SetID() {
 	id, err := artifact.IDByHash(p)
 	if err != nil {