Skip to content

feat(sbom): add BOMID field to match packages and decoded BOM components#10299

Draft
DmitriyLewen wants to merge 2 commits intoaquasecurity:mainfrom
DmitriyLewen:fix/sbom/match-vulns-pkgs-and-core-components
Draft

feat(sbom): add BOMID field to match packages and decoded BOM components#10299
DmitriyLewen wants to merge 2 commits intoaquasecurity:mainfrom
DmitriyLewen:fix/sbom/match-vulns-pkgs-and-core-components

Conversation

@DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented Mar 3, 2026
edited
Loading

Description

This PR fixes an issue with matching vulnerabilities to packages and components when working with SBOM (Software Bill of Materials) files. The main problem was that vulnerabilities weren't being properly matched to their corresponding
components during SBOM processing, particularly in VEX (Vulnerability Exploitability eXchange) filtering scenarios.

The solution introduces a new BOMID field that provides a reliable UUID-based identifier for matching components between decoded SBOM data and vulnerability information. This ensures accurate component-to-vulnerability associations in
both SBOM scanning mode and regular scanning modes.

Made Changes

  • Added BOMID field: Introduced BOMID uuid.UUID field to PkgIdentifier struct in pkg/fanal/types/package.go to uniquely identify SBOM components
  • Enhanced component matching: Updated Match() method to check BOMID first when matching package identifiers
  • SBOM decoding integration: Modified pkg/sbom/io/decode.go to populate the BOMID field with the component's UUID during SBOM decoding
  • Improved vulnerability mapping: Refactored pkg/sbom/io/encode.go to use BOMID instead of BOM-Ref for vulnerability-to-component mapping, providing more reliable associations
  • Fixed VEX filtering: Updated pkg/vex/vex.go to use a hybrid approach for component matching:
    • Uses BOMID for SBOM mode scenarios
    • Falls back to UID for regular scanning modes
    • Added comprehensive documentation explaining the key selection logic

These changes ensure that vulnerabilities are correctly filtered and associated with their corresponding components regardless of whether they come from SBOM files or regular package scans.

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen
feat(ftypes): add BOMID field
200059b 
- fill BOMID only when decode SBOM
- use BOMID to match component and vuln
@DmitriyLewen
fix(vex): use BOMID to match vulns and components
bda62f9
@DmitriyLewen DmitriyLewen requested a review from knqyf263 as a code owner March 3, 2026 11:22
@DmitriyLewen
Copy link
Contributor Author

DmitriyLewen commented Mar 3, 2026

Reopened from #9597 after recreating the fork.

@DmitriyLewen DmitriyLewen marked this pull request as draft March 3, 2026 11:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug(vex): VEX suppression no longer works in sbom mode starting from v0.67.0.

1 participant

@DmitriyLewen