fix(sbom): correctly handle multiple vendors (intel#4857)

ffontaine · web-flow · commit aa33a7af3ead · 2025-02-27T10:18:37.000-08:00
Prepend vendor to product to set the SBOM package name, otherwise
SBOM will only contain the last vendor of the product.

For example for iperf3, SBOM will only contain
cpe:/a:iperf3_project:iperf3:3.11 and not cpe:/a:es:iperf3:3.11

Signed-off-by: Fabrice Fontaine &lt;fabrice.fontaine@orange.com&gt;
diff --git a/cve_bin_tool/sbom_manager/generate.py b/cve_bin_tool/sbom_manager/generate.py
@@ -72,7 +72,9 @@ def generate_sbom(self) -> None:
         # Add dependent products
         for product_data in self.all_product_data:
             my_package.initialise()
-            my_package.set_name(product_data.product)
+            # vendor prepended to product to handle product with multiple vendors
+            package_name = f"{product_data.vendor}-{product_data.product}"
+            my_package.set_name(package_name)
             my_package.set_version(product_data.version)
             if product_data.vendor.casefold() != "UNKNOWN".casefold():
                 my_package.set_supplier("Organization", product_data.vendor)
@@ -90,9 +92,7 @@ def generate_sbom(self) -> None:
                     (my_package.get_name(), my_package.get_value("version"))
                 ] = my_package.get_package()
             sbom_relationship.initialise()
-            sbom_relationship.set_relationship(
-                root_package, "DEPENDS_ON", product_data.product
-            )
+            sbom_relationship.set_relationship(root_package, "DEPENDS_ON", package_name)
             sbom_relationships.append(sbom_relationship.get_relationship())
 
         # Generate SBOM
diff --git a/test/test_output_engine.py b/test/test_output_engine.py
@@ -984,7 +984,8 @@ def test_generate_sbom(self):
 
             # Check if set_name is called for each product
             expected_calls = [
-                call(product.product) for product in self.all_product_data
+                call(f"{product.vendor}-{product.product}")
+                for product in self.all_product_data
             ]
             mock_package_instance.set_name.assert_has_calls(
                 expected_calls, any_order=True

Original file line number	Diff line number	Diff line change
`@@ -984,7 +984,8 @@ def test_generate_sbom(self):`
`984`	`984`
`985`	`985`	`# Check if set_name is called for each product`
`986`	`986`	`expected_calls = [`
`987`		`- call(product.product) for product in self.all_product_data`
	`987`	`+ call(f"{product.vendor}-{product.product}")`
	`988`	`+ for product in self.all_product_data`
`988`	`989`	`]`
`989`	`990`	`mock_package_instance.set_name.assert_has_calls(`
`990`	`991`	`expected_calls, any_order=True`