fix(sbom): merge orphaned OS packages with existing PackageInfo

knqyf263 · knqyf263 · commit e76c7ee4efca · 2025-07-14T15:05:45.000+04:00
- Use lo.FindIndexOf to find existing PackageInfo with empty FilePath
- Merge orphaned OS packages instead of creating separate entries
- Sort packages after merging for consistent ordering
- Resolves issue where out-of-graph OS packages were isolated
diff --git a/pkg/sbom/io/decode.go b/pkg/sbom/io/decode.go
@@ -391,8 +391,19 @@ func (m *Decoder) addOrphanPkgs(sbom *types.SBOM) error {
 	for _, pkgs := range osPkgMap {
 		// TODO: mismatch between the OS and the packages should be rejected.
 		// e.g. OS: debian, Packages: rpm
-		sort.Sort(pkgs)
-		sbom.Packages = append(sbom.Packages, ftypes.PackageInfo{Packages: pkgs})
+
+		// Find existing PackageInfo with empty FilePath to merge with
+		if _, idx, found := lo.FindIndexOf(sbom.Packages, func(pkg ftypes.PackageInfo) bool {
+			return pkg.FilePath == ""
+		}); found {
+			// Merge with existing PackageInfo
+			sbom.Packages[idx].Packages = append(sbom.Packages[idx].Packages, pkgs...)
+			sort.Sort(sbom.Packages[idx].Packages)
+		} else {
+			// Create new PackageInfo
+			sort.Sort(pkgs)
+			sbom.Packages = append(sbom.Packages, ftypes.PackageInfo{Packages: pkgs})
+		}
 
 		break // Just take the first element
 	}
diff --git a/pkg/sbom/io/decode_test.go b/pkg/sbom/io/decode_test.go
@@ -347,4 +347,3 @@ func TestDecoder_Decode_OSPackages(t *testing.T) {
 		})
 	}
 }
-

Original file line number	Diff line number	Diff line change
`@@ -347,4 +347,3 @@ func TestDecoder_Decode_OSPackages(t *testing.T) {`
`347`	`347`	`})`
`348`	`348`	`}`
`349`	`349`	`}`
`350`		`-`