fix: only add the package manager category as a name for that package

The "security" category is intended to find security information about this package, but not describing the package itself. Works around trustification#509
ctron · Jul 8, 2024 · d254bc2 · d254bc2
1 parent 10abd1a
commit d254bc2
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/modules/ingestor/src/graph/sbom/spdx.rs b/modules/ingestor/src/graph/sbom/spdx.rs
@@ -96,6 +96,11 @@ impl SbomContext {
             let mut refs = Vec::new();
 
             for r in &package.external_reference {
+                // only add the package manager category, giving this package a name
+                if r.reference_category != ExternalPackageReferenceCategory::PackageManager {
+                    continue;
+                }
+
                 match &*r.reference_type {
                     "purl" => {
                         if let Ok(purl) = Purl::from_str(&r.reference_locator) {