From 9c16bf2eba57c84027175bd1f2a4d4bf9cfb8f81 Mon Sep 17 00:00:00 2001
From: Wai Cheang <wcheang@redhat.com>
Date: Fri, 8 Nov 2024 03:51:11 -0500
Subject: [PATCH] fix(ISV-5128): also update sbom metadata component purl

Previously the update-component-sbom script is only updating the
component purl in the list of components. But in CycloneDX, there
is also a component purl in the metadata.

Signed-off-by: Wai Cheang <wcheang@redhat.com>
---
 sbom/test_update_component_sbom.py | 12 ++++++++++++
 sbom/update_component_sbom.py      |  6 ++++++
 2 files changed, 18 insertions(+)

diff --git a/sbom/test_update_component_sbom.py b/sbom/test_update_component_sbom.py
index e7ac5f4..04082df 100644
--- a/sbom/test_update_component_sbom.py
+++ b/sbom/test_update_component_sbom.py
@@ -27,6 +27,12 @@ def test_get_component_to_purls_map(self) -> None:
 
     def test_update_cyclonedx_sbom(self) -> None:
         sbom = {
+            "metadata": {
+                "component": {
+                    "name": "comp1",
+                    "purl": "purl1",
+                }
+            },
             "components": [
                 {"name": "comp1", "purl": "purl1"},
                 {"name": "comp2", "purl": "purl2"},
@@ -38,6 +44,12 @@ def test_update_cyclonedx_sbom(self) -> None:
         }
         update_cyclonedx_sbom(sbom, mapping)
         assert sbom == {
+            "metadata": {
+                "component": {
+                    "name": "comp1",
+                    "purl": "updated_purl1",
+                }
+            },
             "components": [
                 {"name": "comp1", "purl": "updated_purl1"},
                 {"name": "comp2", "purl": "updated_purl2"},
diff --git a/sbom/update_component_sbom.py b/sbom/update_component_sbom.py
index 230062e..60b7535 100644
--- a/sbom/update_component_sbom.py
+++ b/sbom/update_component_sbom.py
@@ -42,6 +42,12 @@ def update_cyclonedx_sbom(sbom: Dict, component_to_purls_map: Dict[str, List[str
         component_to_purls_map: dictionary mapping of component names to list of purls.
     """
     LOG.info("Updating CycloneDX sbom")
+
+    componenet_name = sbom["metadata"]["component"]["name"]
+    if componenet_name in component_to_purls_map:
+        # only one purl is supported for CycloneDX
+        sbom["metadata"]["component"]["purl"] = component_to_purls_map[componenet_name][0]
+
     for component in sbom["components"]:
         if component["name"] in component_to_purls_map:
             # only one purl is supported for CycloneDX