fix(sbom): preserve OS packages from multiple SBOMs (#8325)

Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>

Author: knqyf263

pkg/fanal/analyzer/sbom/sbom.go

@@ -52,6 +52,12 @@ func (a sbomAnalyzer) Analyze(ctx context.Context, input analyzer.AnalysisInput)
 		handleBitnamiImages(path.Dir(input.FilePath), bom)
 	}
 
+	// Add the filePath to avoid overwriting OS packages when merging packages from multiple SBOM files.
+	// cf. https://github.com/aquasecurity/trivy/issues/8324
+	for i, pkgInfo := range bom.Packages {
+		bom.Packages[i].FilePath = path.Join(input.FilePath, pkgInfo.FilePath)
+	}
+
 	// FilePath for apps with aggregatingTypes is empty.
 	// Set the SBOM file path as Application.FilePath to correctly overwrite applications when merging layers.
 	for i, app := range bom.Applications {

pkg/fanal/analyzer/sbom/sbom_test.go

@@ -238,6 +238,42 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 			},
 			wantErr: require.NoError,
 		},
+		{
+			name:     "valid ca-certificates spdx file",
+			file:     "testdata/ca-certificates.spdx.json",
+			filePath: "opt/bitnami/ca-certificates/.spdx-ca-certificates.spdx",
+			want: &analyzer.AnalysisResult{
+				PackageInfos: []types.PackageInfo{
+					{
+						FilePath: "opt/bitnami/ca-certificates/.spdx-ca-certificates.spdx",
+						Packages: types.Packages{
+							{
+								ID:         "ca-certificates@20230311",
+								Name:       "ca-certificates",
+								Version:    "20230311",
+								Arch:       "all",
+								SrcName:    "ca-certificates",
+								SrcVersion: "20230311",
+								Licenses:   []string{"GPL-2.0-or-later AND GPL-2.0-only AND MPL-2.0"},
+								Identifier: types.PkgIdentifier{
+									PURL: &packageurl.PackageURL{
+										Type:      packageurl.TypeDebian,
+										Namespace: "debian",
+										Name:      "ca-certificates",
+										Version:   "20230311",
+										Qualifiers: packageurl.Qualifiers{
+											{Key: "arch", Value: "all"},
+											{Key: "distro", Value: "debian-12.9"},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			wantErr: require.NoError,
+		},
 		{
 			name:     "invalid spdx file",
 			file:     "testdata/invalid_spdx.json",

pkg/fanal/analyzer/sbom/testdata/ca-certificates.spdx.json

@@ -0,0 +1,55 @@
+{
+  "spdxVersion": "SPDX-2.3",
+  "dataLicense": "CC0-1.0",
+  "SPDXID": "SPDXRef-DOCUMENT",
+  "name": "host",
+  "documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/host-1022538e-83fe-4aa7-8718-a78839114c83",
+  "creationInfo": {
+    "creators": [
+      "Organization: aquasecurity",
+      "Tool: trivy-0.58.1"
+    ],
+    "created": "2025-01-30T11:30:05Z"
+  },
+  "packages": [
+    {
+      "name": "ca-certificates",
+      "SPDXID": "SPDXRef-Package-c1d4029824045f75",
+      "versionInfo": "20230311",
+      "supplier": "Organization: Julien Cristau <jcristau@debian.org>",
+      "downloadLocation": "NONE",
+      "filesAnalyzed": false,
+      "sourceInfo": "built package from: ca-certificates 20230311",
+      "licenseConcluded": "GPL-2.0-or-later AND GPL-2.0-only AND MPL-2.0",
+      "licenseDeclared": "GPL-2.0-or-later AND GPL-2.0-only AND MPL-2.0",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:deb/debian/ca-certificates@20230311?arch=all&distro=debian-12.9"
+        }
+      ],
+      "primaryPackagePurpose": "LIBRARY"
+    },
+    {
+      "name": "debian",
+      "SPDXID": "SPDXRef-OperatingSystem-23c1e7dfb45d904f",
+      "versionInfo": "12.9",
+      "downloadLocation": "NONE",
+      "filesAnalyzed": false,
+      "primaryPackagePurpose": "OPERATING-SYSTEM"
+    }
+  ],
+  "relationships": [
+    {
+      "spdxElementId": "SPDXRef-OperatingSystem-23c1e7dfb45d904f",
+      "relatedSpdxElement": "SPDXRef-Package-c1d4029824045f75",
+      "relationshipType": "CONTAINS"
+    },
+    {
+      "spdxElementId": "SPDXRef-DOCUMENT",
+      "relatedSpdxElement": "SPDXRef-OperatingSystem-23c1e7dfb45d904f",
+      "relationshipType": "DESCRIBES"
+    }
+  ]
+}