fix(sbom): parse type framework as library when unmarshalling CycloneDX files (#7527)

DmitriyLewen · web-flow · commit aeb7039d7ce0 · 2024-09-18T06:08:12.000Z
diff --git a/pkg/sbom/cyclonedx/testdata/happy/third-party-bom.json b/pkg/sbom/cyclonedx/testdata/happy/third-party-bom.json
@@ -46,7 +46,7 @@
     },
     {
       "bom-ref": "pkg:composer/pear/pear_exception@v1.0.0",
-      "type": "library",
+      "type": "framework",
       "name": "pear/pear_exception",
       "version": "v1.0.0",
       "purl": "pkg:composer/pear/pear_exception@v1.0.0"
diff --git a/pkg/sbom/cyclonedx/unmarshal.go b/pkg/sbom/cyclonedx/unmarshal.go
@@ -166,7 +166,10 @@ func (b *BOM) unmarshalType(t cdx.ComponentType) (core.ComponentType, error) {
 		ctype = core.TypeContainerImage
 	case cdx.ComponentTypeApplication:
 		ctype = core.TypeApplication
-	case cdx.ComponentTypeLibrary:
+	// There are not many differences between a `library` and a `framework` components, and sometimes it is difficult to choose the right type.
+	// That is why some users choose `framework` type.
+	// So we should parse and scan `framework` components as libraries.
+	case cdx.ComponentTypeLibrary, cdx.ComponentTypeFramework:
 		ctype = core.TypeLibrary
 	case cdx.ComponentTypeOS:
 		ctype = core.TypeOS

Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,7 @@`
`46`	`46`	`},`
`47`	`47`	`{`
`48`	`48`	`"bom-ref": "pkg:composer/pear/[email protected]",`
`49`		`- "type": "library",`
	`49`	`+ "type": "framework",`
`50`	`50`	`"name": "pear/pear_exception",`
`51`	`51`	`"version": "v1.0.0",`
`52`	`52`	`"purl": "pkg:composer/pear/[email protected]"`