diff --git a/internal/formats/github/encoder.go b/internal/formats/github/encoder.go index 2e39f7c102a..9dfc6890d44 100644 --- a/internal/formats/github/encoder.go +++ b/internal/formats/github/encoder.go @@ -130,7 +130,7 @@ func toGithubManifests(s *sbom.SBOM) Manifests { name := dependencyName(p) manifest.Resolved[name] = DependencyNode{ - Purl: p.PURL, + PackageURL: p.PURL, Metadata: toDependencyMetadata(p), Relationship: toDependencyRelationshipType(p), Scope: toDependencyScope(p), diff --git a/internal/formats/github/encoder_test.go b/internal/formats/github/encoder_test.go index 91ac837692c..3eb58c75571 100644 --- a/internal/formats/github/encoder_test.go +++ b/internal/formats/github/encoder_test.go @@ -104,12 +104,12 @@ func Test_toGithubModel(t *testing.T) { }, Resolved: DependencyGraph{ "pkg:generic/pkg-1@1.0.1": DependencyNode{ - Purl: "pkg:generic/pkg-1@1.0.1", + PackageURL: "pkg:generic/pkg-1@1.0.1", Scope: DependencyScopeRuntime, Relationship: DependencyRelationshipDirect, }, "pkg:generic/pkg-2@2.0.2": DependencyNode{ - Purl: "pkg:generic/pkg-2@2.0.2", + PackageURL: "pkg:generic/pkg-2@2.0.2", Scope: DependencyScopeRuntime, Relationship: DependencyRelationshipDirect, }, @@ -125,7 +125,7 @@ func Test_toGithubModel(t *testing.T) { }, Resolved: DependencyGraph{ "pkg:generic/pkg-3@3.0.3": DependencyNode{ - Purl: "pkg:generic/pkg-3@3.0.3", + PackageURL: "pkg:generic/pkg-3@3.0.3", Scope: DependencyScopeRuntime, Relationship: DependencyRelationshipDirect, }, diff --git a/internal/formats/github/github_dependency_api.go b/internal/formats/github/github_dependency_api.go index 86743419005..fe873d41809 100644 --- a/internal/formats/github/github_dependency_api.go +++ b/internal/formats/github/github_dependency_api.go @@ -14,9 +14,9 @@ type DependencySnapshot struct { } type Job struct { - Name string `json:"name,omitempty"` // !omitempty - ID string `json:"id,omitempty"` // !omitempty - HTMLURL string `json:"html_url,omitempty"` + Correlator string `json:"correlator,omitempty"` // !omitempty + ID string `json:"id,omitempty"` // !omitempty + HTMLURL string `json:"html_url,omitempty"` } type DetectorMetadata struct { @@ -62,7 +62,7 @@ const ( ) type DependencyNode struct { - Purl string `json:"purl,omitempty"` + PackageURL string `json:"package_url,omitempty"` Metadata Metadata `json:"metadata,omitempty"` Relationship DependencyRelationship `json:"relationship,omitempty"` Scope DependencyScope `json:"scope,omitempty"` diff --git a/internal/formats/syftjson/to_syft_model.go b/internal/formats/syftjson/to_syft_model.go index bac4df94b24..9c28c24a610 100644 --- a/internal/formats/syftjson/to_syft_model.go +++ b/internal/formats/syftjson/to_syft_model.go @@ -177,8 +177,12 @@ func toSyftPackage(p model.Package, idAliases map[string]string) pkg.Package { Metadata: p.Metadata, } - out.SetID() + // we don't know if this package ID is truly unique, however, we need to trust the user input in case there are + // external references to it. That is, we can't derive our own ID (using pkg.SetID()) since consumers won't + // be able to historically interact with data that references the IDs from the original SBOM document being decoded now. + out.OverrideID(artifact.ID(p.ID)) + // this alias mapping is currently defunct, but could be useful in the future. id := string(out.ID()) if id != p.ID { idAliases[p.ID] = id diff --git a/syft/pkg/package.go b/syft/pkg/package.go index 13b19ca37a2..d39be9912b5 100644 --- a/syft/pkg/package.go +++ b/syft/pkg/package.go @@ -28,6 +28,10 @@ type Package struct { Metadata interface{} // additional data found while parsing the package source } +func (p *Package) OverrideID(id artifact.ID) { + p.id = id +} + func (p *Package) SetID() { id, err := artifact.IDByHash(p) if err != nil {