Closed knqyf263 closed 3 months ago
The package ID, based on the name and version, is used in some places.
https://github.com/aquasecurity/trivy/blob/137c9164238ffd989a0c5ed24f23a55bbf341f6e/pkg/sbom/io/encode.go#L177
However, it is not globally unique, as there are cases where the same package is installed in different paths. We should use UIDs for this purpose.
Also, added a process to fill in the UIDs for old JSON reports as they don't contain UIDs, and tests for trivy convert.
trivy convert
Description
The package ID, based on the name and version, is used in some places.
https://github.com/aquasecurity/trivy/blob/137c9164238ffd989a0c5ed24f23a55bbf341f6e/pkg/sbom/io/encode.go#L177
However, it is not globally unique, as there are cases where the same package is installed in different paths. We should use UIDs for this purpose.
Also, added a process to fill in the UIDs for old JSON reports as they don't contain UIDs, and tests for
trivy convert
.Related issues
Checklist