From ca50b77a35670082530a99f41dfcdbac487f5fd1 Mon Sep 17 00:00:00 2001
From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
Date: Sat, 28 Oct 2023 10:09:36 +0600
Subject: [PATCH] fix(sbom): save digests for package/application when scanning
 SBOM files (#5432)

Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: knqyf263 <knqyf263@gmail.com>
---
 pkg/fanal/applier/docker.go          |  8 +++
 pkg/fanal/applier/docker_test.go     | 82 ++++++++++++++++++++++++++++
 pkg/sbom/cyclonedx/unmarshal.go      |  2 +
 pkg/sbom/cyclonedx/unmarshal_test.go |  2 +
 4 files changed, 94 insertions(+)

diff --git a/pkg/fanal/applier/docker.go b/pkg/fanal/applier/docker.go
index 824da3a9ea13..b0f42d957eec 100644
--- a/pkg/fanal/applier/docker.go
+++ b/pkg/fanal/applier/docker.go
@@ -203,6 +203,10 @@ func ApplyLayers(layers []types.BlobInfo) types.ArtifactDetail {
 	}
 
 	for i, pkg := range mergedLayer.Packages {
+		// Skip lookup for SBOM
+		if !lo.IsEmpty(pkg.Layer) {
+			continue
+		}
 		originLayerDigest, originLayerDiffID, buildInfo := lookupOriginLayerForPkg(pkg, layers)
 		mergedLayer.Packages[i].Layer = types.Layer{
 			Digest: originLayerDigest,
@@ -218,6 +222,10 @@ func ApplyLayers(layers []types.BlobInfo) types.ArtifactDetail {
 
 	for _, app := range mergedLayer.Applications {
 		for i, lib := range app.Libraries {
+			// Skip lookup for SBOM
+			if !lo.IsEmpty(lib.Layer) {
+				continue
+			}
 			originLayerDigest, originLayerDiffID := lookupOriginLayerForLib(app.FilePath, lib, layers)
 			app.Libraries[i].Layer = types.Layer{
 				Digest: originLayerDigest,
diff --git a/pkg/fanal/applier/docker_test.go b/pkg/fanal/applier/docker_test.go
index 0e0ae93c8e01..dbd2c3c4a9fb 100644
--- a/pkg/fanal/applier/docker_test.go
+++ b/pkg/fanal/applier/docker_test.go
@@ -199,6 +199,88 @@ func TestApplyLayers(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "happy path with digests in libs/packages (as for SBOM)",
+			inputLayers: []types.BlobInfo{
+				{
+					SchemaVersion: 2,
+					OS: types.OS{
+						Family: "debian",
+						Name:   "11.8",
+					},
+					PackageInfos: []types.PackageInfo{
+						{
+							Packages: types.Packages{
+								{
+									ID:         "adduser@3.118+deb11u1",
+									Name:       "adduser",
+									Version:    "3.118+deb11u1",
+									Arch:       "all",
+									SrcName:    "adduser",
+									SrcVersion: "3.118+deb11u1",
+									Ref:        "pkg:deb/debian/adduser@3.118%2Bdeb11u1?arch=all&distro=debian-11.8",
+									Layer: types.Layer{
+										Digest: "sha256:e67fdae3559346105027c63e7fb032bba57e62b1fe9f2da23e6fdfb56384e00b",
+										DiffID: "sha256:633f5bf471f7595b236a21e62dc60beef321db45916363a02ad5af02d794d497",
+									},
+								},
+							},
+						},
+					},
+					Applications: []types.Application{
+						{
+							Type: types.PythonPkg,
+							Libraries: types.Packages{
+								{
+									Name:    "pip",
+									Version: "23.0.1",
+									Layer: types.Layer{
+										DiffID: "sha256:1def056a3160854c9395aa76282dd62172ec08c18a5fa03bb7d50a777c15ba99",
+									},
+									FilePath: "usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA",
+								},
+							},
+						},
+					},
+				},
+			},
+			want: types.ArtifactDetail{
+				OS: types.OS{
+					Family: "debian",
+					Name:   "11.8",
+				},
+				Packages: types.Packages{
+					{
+						ID:         "adduser@3.118+deb11u1",
+						Name:       "adduser",
+						Version:    "3.118+deb11u1",
+						Arch:       "all",
+						SrcName:    "adduser",
+						SrcVersion: "3.118+deb11u1",
+						Ref:        "pkg:deb/debian/adduser@3.118%2Bdeb11u1?arch=all&distro=debian-11.8",
+						Layer: types.Layer{
+							Digest: "sha256:e67fdae3559346105027c63e7fb032bba57e62b1fe9f2da23e6fdfb56384e00b",
+							DiffID: "sha256:633f5bf471f7595b236a21e62dc60beef321db45916363a02ad5af02d794d497",
+						},
+					},
+				},
+				Applications: []types.Application{
+					{
+						Type: types.PythonPkg,
+						Libraries: types.Packages{
+							{
+								Name:     "pip",
+								Version:  "23.0.1",
+								FilePath: "usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA",
+								Layer: types.Layer{
+									DiffID: "sha256:1def056a3160854c9395aa76282dd62172ec08c18a5fa03bb7d50a777c15ba99",
+								},
+							},
+						},
+					},
+				},
+			},
+		},
 		{
 			name: "happy path with merging ubuntu version and ESM",
 			inputLayers: []types.BlobInfo{
diff --git a/pkg/sbom/cyclonedx/unmarshal.go b/pkg/sbom/cyclonedx/unmarshal.go
index 8282edae2c3f..97c24cf2797a 100644
--- a/pkg/sbom/cyclonedx/unmarshal.go
+++ b/pkg/sbom/cyclonedx/unmarshal.go
@@ -376,6 +376,8 @@ func toPackage(component cdx.Component) (*purl.PackageURL, *ftypes.Package, erro
 			pkg.Modularitylabel = value
 		case PropertyLayerDiffID:
 			pkg.Layer.DiffID = value
+		case PropertyLayerDigest:
+			pkg.Layer.Digest = value
 		case PropertyFilePath:
 			pkg.FilePath = value
 		}
diff --git a/pkg/sbom/cyclonedx/unmarshal_test.go b/pkg/sbom/cyclonedx/unmarshal_test.go
index 4ea9b17f44c1..26c5e5d7ff49 100644
--- a/pkg/sbom/cyclonedx/unmarshal_test.go
+++ b/pkg/sbom/cyclonedx/unmarshal_test.go
@@ -221,6 +221,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								},
 								Ref: "pkg:deb/ubuntu/libc6@2.35-0ubuntu3.1?distro=ubuntu-22.04",
 								Layer: ftypes.Layer{
+									Digest: "sha256:74ac377868f863e123f24c409f79709f7563fa464557c36a09cf6f85c8b92b7f",
 									DiffID: "sha256:b93c1bd012ab8fda60f5b4f5906bf244586e0e3292d84571d3abb56472248466",
 								},
 							},
@@ -235,6 +236,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 								SrcEpoch:   1,
 								Ref:        "pkg:deb/ubuntu/libcrypt1@4.4.27-1?epoch=1&distro=ubuntu-22.04",
 								Layer: ftypes.Layer{
+									Digest: "sha256:74ac377868f863e123f24c409f79709f7563fa464557c36a09cf6f85c8b92b7f",
 									DiffID: "sha256:b93c1bd012ab8fda60f5b4f5906bf244586e0e3292d84571d3abb56472248466",
 								},
 							},