fix: only add the package manager category as a name for that package

The "security" category is intended to find security information about this package, but not describing the package itself. Works around trustification#509
ctron · Jul 5, 2024 · 4f54e91 · 4f54e91
1 parent 6005b35
commit 4f54e91
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/modules/ingestor/src/graph/sbom/spdx.rs b/modules/ingestor/src/graph/sbom/spdx.rs
@@ -59,6 +59,11 @@ impl SbomContext {
             let mut refs = Vec::new();
 
             for r in &package.external_reference {
+                // only add the package manager category, giving this package a name
+                if r.reference_category != ExternalPackageReferenceCategory::PackageManager {
+                    continue;
+                }
+
                 match &*r.reference_type {
                     "purl" => {
                         if let Ok(purl) = Purl::from_str(&r.reference_locator) {