Mirrors/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft synced 2024-11-10 14:24:12 +00:00
Code Issues Projects Releases Packages Wiki Activity

Preserve syft IDs on SBOM decode (#963)

Browse source
This commit is contained in:
Alex Goodman 2022-04-18 14:10:55 -04:00 committed by GitHub
parent 248023baaf
commit 172ecc0d77
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
internal/formats/syftjson/to_syft_model.go
View file

@ -177,8 +177,12 @@ func toSyftPackage(p model.Package, idAliases map[string]string) pkg.Package {
Metadata: p.Metadata,
}
out.SetID()
// we don't know if this package ID is truly unique, however, we need to trust the user input in case there are
// external references to it. That is, we can't derive our own ID (using pkg.SetID()) since consumers won't
// be able to historically interact with data that references the IDs from the original SBOM document being decoded now.
out.OverrideID(artifact.ID(p.ID))
// this alias mapping is currently defunct, but could be useful in the future.
id := string(out.ID())
if id != p.ID {
idAliases[p.ID] = id

4
syft/pkg/package.go
View file

@ -28,6 +28,10 @@ type Package struct {
Metadata interface{} // additional data found while parsing the package source
}
func (p *Package) OverrideID(id artifact.ID) {
p.id = id
}
func (p *Package) SetID() {
id, err := artifact.IDByHash(p)
if err != nil {