fix(sbom): use root package for unknown dependencies (if exists) [backport: release/v0.58] (#8156)

Co-authored-by: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>

integration/testdata/julia-spdx.json.golden

@@ -154,11 +154,6 @@
       "relatedSpdxElement": "SPDXRef-Package-7784b00da0cb0cb0",
       "relationshipType": "CONTAINS"
     },
-    {
-      "spdxElementId": "SPDXRef-Application-18fc3597717a3e56",
-      "relatedSpdxElement": "SPDXRef-Package-960543ac5c5f7e10",
-      "relationshipType": "CONTAINS"
-    },
     {
       "spdxElementId": "SPDXRef-Application-18fc3597717a3e56",
       "relatedSpdxElement": "SPDXRef-Package-a4705eb108e4f15c",

integration/testdata/npm-cyclonedx.json.golden

@@ -294,18 +294,10 @@
     {
       "ref": "3ff14136-e09f-4df9-80ea-000000000002",
       "dependsOn": [
-        "pkg:npm/asap@2.0.6",
         "pkg:npm/jquery@3.3.9",
-        "pkg:npm/js-tokens@4.0.0",
-        "pkg:npm/loose-envify@1.4.0",
-        "pkg:npm/object-assign@4.1.1",
         "pkg:npm/promise@8.0.3",
-        "pkg:npm/prop-types@15.7.2",
-        "pkg:npm/react-is@16.8.6",
         "pkg:npm/react@16.8.6",
-        "pkg:npm/redux@4.0.1",
-        "pkg:npm/scheduler@0.13.6",
-        "pkg:npm/symbol-observable@1.2.0"
+        "pkg:npm/redux@4.0.1"
       ]
     },
     {

pkg/sbom/cyclonedx/marshal_test.go

@@ -559,7 +559,6 @@ func TestMarshaler_MarshalReport(t *testing.T) {
 					{
 						Ref: "3ff14136-e09f-4df9-80ea-000000000004",
 						Dependencies: &[]string{
-							"3ff14136-e09f-4df9-80ea-000000000005",
 							"pkg:gem/actioncontroller@7.0.0",
 						},
 					},
@@ -1123,8 +1122,6 @@ func TestMarshaler_MarshalReport(t *testing.T) {
 						Ref: "3ff14136-e09f-4df9-80ea-000000000002",
 						Dependencies: &[]string{
 							"pkg:rpm/centos/acl@2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011&epoch=1",
-							// Trivy is unable to identify the direct OS packages as of today.
-							"pkg:rpm/centos/glibc@2.28-151.el8?arch=aarch64&distro=centos-8.3.2011",
 						},
 					},
 					{

pkg/sbom/io/encode.go

@@ -417,18 +417,10 @@ func (*Encoder) belongToParent(pkg ftypes.Package, parents map[string]ftypes.Pac
 	//         All packages are included in the parent
 	// Case 3: Relationship: known , DependsOn: unknown (e.g., go.mod without $GOPATH)
 	//         All packages are included in the parent
-	// Case 4: Relationship: unknown, DependsOn: known (e.g., OS packages)
-	//         All packages are included in the parent even if they have parents
-	switch {
-	// Case 1, 2 and 3
-	case len(parents[pkg.ID]) == 0:
-		return true
-	// Case 4
-	case pkg.Relationship == ftypes.RelationshipUnknown:
-		return true
-	default:
-		return false
-	}
+	// Case 4: Relationship: unknown, DependsOn: known (e.g., GoBinaries, OS packages)
+	//         - Packages with parents: false. These packages are included in the packages from `parents` (e.g. GoBinaries deps and root package).
+	//         - Packages without parents: true. These packages are included in the parent (e.g. OS packages without parents).
+	return len(parents[pkg.ID]) == 0
 }
 
 func filterProperties(props []core.Property) []core.Property {

pkg/sbom/io/encode_test.go

@@ -171,6 +171,61 @@ func TestEncoder_Encode(t *testing.T) {
 							},
 						},
 					},
+					{
+						Target: "trivy",
+						Type:   ftypes.GoBinary,
+						Class:  types.ClassLangPkg,
+						Packages: []ftypes.Package{
+							{
+								ID:      "github.com/aquasecurity/trivy@v0.57.1",
+								Name:    "github.com/aquasecurity/trivy",
+								Version: "v0.57.1",
+								Identifier: ftypes.PkgIdentifier{
+									UID: "106fee7e57f0b952",
+									PURL: &packageurl.PackageURL{
+										Type:      packageurl.TypeGolang,
+										Namespace: "github.com/aquasecurity",
+										Name:      "trivy",
+										Version:   "v0.57.1",
+									},
+								},
+								Relationship: ftypes.RelationshipRoot,
+								DependsOn: []string{
+									"github.com/aquasecurity/go-version@v0.0.0-20240603093900-cf8a8d29271d",
+									"stdlib@v1.22.9",
+								},
+							},
+							{
+								ID:      "stdlib@v1.22.9",
+								Name:    "stdlib",
+								Version: "v1.22.9",
+								Identifier: ftypes.PkgIdentifier{
+									UID: "62e7c8aaebd94b1e",
+									PURL: &packageurl.PackageURL{
+										Type:    packageurl.TypeGolang,
+										Name:    "stdlib",
+										Version: "v1.22.9",
+									},
+								},
+								Relationship: ftypes.RelationshipDirect,
+							},
+							{
+								ID:      "github.com/aquasecurity/go-version@v0.0.0-20240603093900-cf8a8d29271d",
+								Name:    "github.com/aquasecurity/go-version",
+								Version: "v0.0.0-20240603093900-cf8a8d29271d",
+								Identifier: ftypes.PkgIdentifier{
+									UID: "350aed171d8ebed5",
+									PURL: &packageurl.PackageURL{
+										Type:      packageurl.TypeGolang,
+										Namespace: "github.com/aquasecurity",
+										Name:      "go-version",
+										Version:   "v0.0.0-20240603093900-cf8a8d29271d",
+									},
+								},
+								Relationship: ftypes.RelationshipUnknown,
+							},
+						},
+					},
 				},
 			},
 			wantComponents: map[uuid.UUID]*core.Component{
@@ -351,6 +406,100 @@ func TestEncoder_Encode(t *testing.T) {
 						BOMRef: "3ff14136-e09f-4df9-80ea-000000000006",
 					},
 				},
+				uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000007"): {
+					Type: core.TypeApplication,
+					Name: "trivy",
+					Properties: []core.Property{
+						{
+							Name:  core.PropertyClass,
+							Value: "lang-pkgs",
+						},
+						{
+							Name:  core.PropertyType,
+							Value: "gobinary",
+						},
+					},
+					PkgIdentifier: ftypes.PkgIdentifier{
+						BOMRef: "3ff14136-e09f-4df9-80ea-000000000007",
+					},
+				},
+				uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000008"): {
+					Type:    core.TypeLibrary,
+					Name:    "github.com/aquasecurity/trivy",
+					Version: "v0.57.1",
+					SrcFile: "trivy",
+					Properties: []core.Property{
+						{
+							Name:  core.PropertyPkgID,
+							Value: "github.com/aquasecurity/trivy@v0.57.1",
+						},
+						{
+							Name:  core.PropertyPkgType,
+							Value: "gobinary",
+						},
+					},
+					PkgIdentifier: ftypes.PkgIdentifier{
+						UID: "106fee7e57f0b952",
+						PURL: &packageurl.PackageURL{
+							Type:      packageurl.TypeGolang,
+							Namespace: "github.com/aquasecurity",
+							Name:      "trivy",
+							Version:   "v0.57.1",
+						},
+						BOMRef: "pkg:golang/github.com/aquasecurity/trivy@v0.57.1",
+					},
+				},
+				uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000009"): {
+					Type:    core.TypeLibrary,
+					Name:    "stdlib",
+					Version: "v1.22.9",
+					SrcFile: "trivy",
+					Properties: []core.Property{
+						{
+							Name:  core.PropertyPkgID,
+							Value: "stdlib@v1.22.9",
+						},
+						{
+							Name:  core.PropertyPkgType,
+							Value: "gobinary",
+						},
+					},
+					PkgIdentifier: ftypes.PkgIdentifier{
+						UID: "62e7c8aaebd94b1e",
+						PURL: &packageurl.PackageURL{
+							Type:    packageurl.TypeGolang,
+							Name:    "stdlib",
+							Version: "v1.22.9",
+						},
+						BOMRef: "pkg:golang/stdlib@v1.22.9",
+					},
+				},
+				uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000010"): {
+					Type:    core.TypeLibrary,
+					Name:    "github.com/aquasecurity/go-version",
+					Version: "v0.0.0-20240603093900-cf8a8d29271d",
+					SrcFile: "trivy",
+					Properties: []core.Property{
+						{
+							Name:  core.PropertyPkgID,
+							Value: "github.com/aquasecurity/go-version@v0.0.0-20240603093900-cf8a8d29271d",
+						},
+						{
+							Name:  core.PropertyPkgType,
+							Value: "gobinary",
+						},
+					},
+					PkgIdentifier: ftypes.PkgIdentifier{
+						UID: "350aed171d8ebed5",
+						PURL: &packageurl.PackageURL{
+							Type:      packageurl.TypeGolang,
+							Namespace: "github.com/aquasecurity",
+							Name:      "go-version",
+							Version:   "v0.0.0-20240603093900-cf8a8d29271d",
+						},
+						BOMRef: "pkg:golang/github.com/aquasecurity/go-version@v0.0.0-20240603093900-cf8a8d29271d",
+					},
+				},
 			},
 			wantRels: map[uuid.UUID][]core.Relationship{
 				uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000001"): {
@@ -366,12 +515,12 @@ func TestEncoder_Encode(t *testing.T) {
 						Dependency: uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000006"),
 						Type:       core.RelationshipContains,
 					},
-				},
-				uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000002"): {
 					{
-						Dependency: uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000003"),
+						Dependency: uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000007"),
 						Type:       core.RelationshipContains,
 					},
+				},
+				uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000002"): {
 					{
 						Dependency: uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000004"),
 						Type:       core.RelationshipContains,
@@ -386,6 +535,24 @@ func TestEncoder_Encode(t *testing.T) {
 				},
 				uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000005"): nil,
 				uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000006"): nil,
+				uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000007"): {
+					{
+						Dependency: uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000008"),
+						Type:       core.RelationshipContains,
+					},
+				},
+				uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000008"): {
+					{
+						Dependency: uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000010"),
+						Type:       core.RelationshipDependsOn,
+					},
+					{
+						Dependency: uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000009"),
+						Type:       core.RelationshipDependsOn,
+					},
+				},
+				uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000009"): nil,
+				uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000010"): nil,
 			},
 			wantVulns: map[uuid.UUID][]core.Vulnerability{
 				uuid.MustParse("3ff14136-e09f-4df9-80ea-000000000004"): {