fix(sbom): use package UIDs for uniqueness - Githubissues

aquasecurity / trivy

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

https://aquasecurity.github.io/trivy

Apache License 2.0

23.06k stars 2.28k forks source link

fix(sbom): use package UIDs for uniqueness #7042

Closed knqyf263 closed 3 months ago

knqyf263 commented 3 months ago

Description

The package ID, based on the name and version, is used in some places.

https://github.com/aquasecurity/trivy/blob/137c9164238ffd989a0c5ed24f23a55bbf341f6e/pkg/sbom/io/encode.go#L177

However, it is not globally unique, as there are cases where the same package is installed in different paths. We should use UIDs for this purpose.

Also, added a process to fill in the UIDs for old JSON reports as they don't contain UIDs, and tests for trivy convert.

Related issues

Close https://github.com/aquasecurity/trivy/issues/5796

Checklist

[x] I've read the guidelines for contributing to this repository.
[x] I've followed the conventions in the PR title.
[x] I've added tests that prove my fix is effective or that my feature works.
[ ] I've updated the documentation with the relevant information (if needed).
[ ] I've added usage information (if the PR introduces new options)
[ ] I've included a "before" and "after" example to the description (if the PR is a user interface change).