diff --git a/internal/formats/syftjson/to_syft_model.go b/internal/formats/syftjson/to_syft_model.go index bac4df94b24..9c28c24a610 100644 --- a/internal/formats/syftjson/to_syft_model.go +++ b/internal/formats/syftjson/to_syft_model.go @@ -177,8 +177,12 @@ func toSyftPackage(p model.Package, idAliases map[string]string) pkg.Package { Metadata: p.Metadata, } - out.SetID() + // we don't know if this package ID is truly unique, however, we need to trust the user input in case there are + // external references to it. That is, we can't derive our own ID (using pkg.SetID()) since consumers won't + // be able to historically interact with data that references the IDs from the original SBOM document being decoded now. + out.OverrideID(artifact.ID(p.ID)) + // this alias mapping is currently defunct, but could be useful in the future. id := string(out.ID()) if id != p.ID { idAliases[p.ID] = id diff --git a/syft/pkg/package.go b/syft/pkg/package.go index 13b19ca37a2..d39be9912b5 100644 --- a/syft/pkg/package.go +++ b/syft/pkg/package.go @@ -28,6 +28,10 @@ type Package struct { Metadata interface{} // additional data found while parsing the package source } +func (p *Package) OverrideID(id artifact.ID) { + p.id = id +} + func (p *Package) SetID() { id, err := artifact.IDByHash(p) if err != nil {