fix(sbom): export bom-ref when converting a package to a component (#7340)

Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: amf <[email protected]>
Co-authored-by: knqyf263 <[email protected]>

Author: 3 people

integration/integration_test.go

@@ -186,7 +186,6 @@ func readCycloneDX(t *testing.T, filePath string) *cdx.BOM {
 			return (*bom.Components)[i].Name < (*bom.Components)[j].Name
 		})
 		for i := range *bom.Components {
-			(*bom.Components)[i].BOMRef = ""
 			sort.Slice(*(*bom.Components)[i].Properties, func(ii, jj int) bool {
 				return (*(*bom.Components)[i].Properties)[ii].Name < (*(*bom.Components)[i].Properties)[jj].Name
 			})

integration/sbom_test.go

@@ -25,6 +25,7 @@ func TestSBOM(t *testing.T) {
 		name     string
 		args     args
 		golden   string
+		fakeUUID string
 		override OverrideFunc
 	}{
 		{
@@ -57,6 +58,16 @@ func TestSBOM(t *testing.T) {
 			},
 			golden: "testdata/fluentd-multiple-lockfiles.json.golden",
 		},
+		{
+			name: "scan SBOM into SBOM",
+			args: args{
+				input:        "testdata/fixtures/sbom/fluentd-multiple-lockfiles-cyclonedx.json",
+				format:       "cyclonedx",
+				artifactType: "cyclonedx",
+			},
+			fakeUUID: "3ff14136-e09f-4df9-80ea-%012d",
+			golden:   "testdata/fluentd-multiple-lockfiles-short.cdx.json.golden",
+		},
 		{
 			name: "minikube KBOM",
 			args: args{
@@ -165,6 +176,7 @@ func TestSBOM(t *testing.T) {
 			// Run "trivy sbom"
 			runTest(t, osArgs, tt.golden, outputFile, types.Format(tt.args.format), runOptions{
 				override: overrideFuncs(overrideSBOMReport, overrideUID, tt.override),
+				fakeUUID: tt.fakeUUID,
 			})
 		})
 	}