Change to Package.PURL

anchore · Nov 20, 2024 · 8d214e8 · 8d214e8
1 parent 24a5022
commit 8d214e8
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 19 deletions.
diff --git a/grype/presenter/sarif/presenter.go b/grype/presenter/sarif/presenter.go
@@ -17,7 +17,6 @@ import (
 	"github.com/anchore/grype/grype/pkg"
 	"github.com/anchore/grype/grype/presenter/models"
 	"github.com/anchore/grype/grype/vulnerability"
-	"github.com/anchore/packageurl-go"
 	"github.com/anchore/syft/syft/file"
 	"github.com/anchore/syft/syft/source"
 )
@@ -123,7 +122,7 @@ func (pres *Presenter) sarifRules() (out []*sarif.ReportingDescriptor) {
 					// For GitHub reportingDescriptor object:
 					// https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#reportingdescriptor-object
 					"security-severity": pres.securitySeverityValue(m),
-					"purls":             [...]string{deriveBomRef(m.Package)},
+					"purls":             [...]string{m.Package.PURL},
 				},
 			})
 		}
@@ -476,16 +475,3 @@ func imageShortPathName(s *source.Description) string {
 	imageName = nonPathChars.ReplaceAllString(imageName, "")
 	return imageName
 }
-
-func deriveBomRef(p pkg.Package) string {
-	// try and parse the PURL if possible and append syft id to it, to make
-	// the purl unique in the BOM.
-	// TODO: In the future we may want to dedupe by PURL and combine components with
-	// the same PURL while preserving their unique metadata.
-	if parsedPURL, err := packageurl.FromString(p.PURL); err == nil {
-		parsedPURL.Qualifiers = append(parsedPURL.Qualifiers, packageurl.Qualifier{Key: "package-id", Value: string(p.ID)})
-		return parsedPURL.ToString()
-	}
-	// fallback is to use strictly the ID if there is no valid pURL
-	return string(p.ID)
-}
diff --git a/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenter_directory.golden b/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenter_directory.golden
@@ -25,7 +25,7 @@
               },
               "properties": {
                 "purls": [
-                  "9baa2db122fea516"
+                  ""
                 ],
                 "security-severity": "4.0"
               }
@@ -46,7 +46,7 @@
               },
               "properties": {
                 "purls": [
-                  "7bb53d560434bc7f"
+                  ""
                 ],
                 "security-severity": "1.0"
               }

diff --git a/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenter_image.golden b/grype/presenter/sarif/test-fixtures/snapshot/TestSarifPresenter_image.golden
@@ -25,7 +25,7 @@
               },
               "properties": {
                 "purls": [
-                  "9baa2db122fea516"
+                  ""
                 ],
                 "security-severity": "4.0"
               }
@@ -46,7 +46,7 @@
               },
               "properties": {
                 "purls": [
-                  "7bb53d560434bc7f"
+                  ""
                 ],
                 "security-severity": "1.0"
               }