refactor: move PkgRef under PkgIdentifier

integration/sbom_test.go

@@ -42,13 +42,19 @@ func TestSBOM(t *testing.T) {
 						Target: "testdata/fixtures/sbom/centos-7-cyclonedx.json (centos 7.6.1810)",
 						Vulnerabilities: []types.DetectedVulnerability{
 							{
-								PkgRef: "pkg:rpm/centos/[email protected]?arch=x86_64&distro=centos-7.6.1810",
+								PkgIdentifier: ftypes.PkgIdentifier{
+									BOMRef: "pkg:rpm/centos/[email protected]?arch=x86_64&distro=centos-7.6.1810",
+								},
 							},
 							{
-								PkgRef: "pkg:rpm/centos/[email protected]?arch=x86_64&epoch=1&distro=centos-7.6.1810",
+								PkgIdentifier: ftypes.PkgIdentifier{
+									BOMRef: "pkg:rpm/centos/[email protected]?arch=x86_64&epoch=1&distro=centos-7.6.1810",
+								},
 							},
 							{
-								PkgRef: "pkg:rpm/centos/[email protected]?arch=x86_64&epoch=1&distro=centos-7.6.1810",
+								PkgIdentifier: ftypes.PkgIdentifier{
+									BOMRef: "pkg:rpm/centos/[email protected]?arch=x86_64&epoch=1&distro=centos-7.6.1810",
+								},
 							},
 						},
 					},
@@ -89,13 +95,19 @@ func TestSBOM(t *testing.T) {
 						Target: "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl (centos 7.6.1810)",
 						Vulnerabilities: []types.DetectedVulnerability{
 							{
-								PkgRef: "pkg:rpm/centos/[email protected]?arch=x86_64&distro=centos-7.6.1810",
+								PkgIdentifier: ftypes.PkgIdentifier{
+									BOMRef: "pkg:rpm/centos/[email protected]?arch=x86_64&distro=centos-7.6.1810",
+								},
 							},
 							{
-								PkgRef: "pkg:rpm/centos/[email protected]?arch=x86_64&epoch=1&distro=centos-7.6.1810",
+								PkgIdentifier: ftypes.PkgIdentifier{
+									BOMRef: "pkg:rpm/centos/[email protected]?arch=x86_64&epoch=1&distro=centos-7.6.1810",
+								},
 							},
 							{
-								PkgRef: "pkg:rpm/centos/[email protected]?arch=x86_64&epoch=1&distro=centos-7.6.1810",
+								PkgIdentifier: ftypes.PkgIdentifier{
+									BOMRef: "pkg:rpm/centos/[email protected]?arch=x86_64&epoch=1&distro=centos-7.6.1810",
+								},
 							},
 						},
 					},
@@ -116,17 +128,6 @@ func TestSBOM(t *testing.T) {
 				Results: types.Results{
 					{
 						Target: "testdata/fixtures/sbom/centos-7-spdx.txt (centos 7.6.1810)",
-						Vulnerabilities: []types.DetectedVulnerability{
-							{
-								PkgRef: "pkg:rpm/centos/[email protected]?arch=x86_64&distro=centos-7.6.1810",
-							},
-							{
-								PkgRef: "pkg:rpm/centos/[email protected]?arch=x86_64&epoch=1&distro=centos-7.6.1810",
-							},
-							{
-								PkgRef: "pkg:rpm/centos/[email protected]?arch=x86_64&epoch=1&distro=centos-7.6.1810",
-							},
-						},
 					},
 				},
 			},
@@ -145,17 +146,6 @@ func TestSBOM(t *testing.T) {
 				Results: types.Results{
 					{
 						Target: "testdata/fixtures/sbom/centos-7-spdx.json (centos 7.6.1810)",
-						Vulnerabilities: []types.DetectedVulnerability{
-							{
-								PkgRef: "pkg:rpm/centos/[email protected]?arch=x86_64&distro=centos-7.6.1810",
-							},
-							{
-								PkgRef: "pkg:rpm/centos/[email protected]?arch=x86_64&epoch=1&distro=centos-7.6.1810",
-							},
-							{
-								PkgRef: "pkg:rpm/centos/[email protected]?arch=x86_64&epoch=1&distro=centos-7.6.1810",
-							},
-						},
 					},
 				},
 			},
@@ -223,12 +213,11 @@ func compareSBOMReports(t *testing.T, wantFile, gotFile string, overrideWant typ
 	for i, result := range overrideWant.Results {
 		want.Results[i].Target = result.Target
 		for j, vuln := range result.Vulnerabilities {
-			want.Results[i].Vulnerabilities[j].PkgRef = vuln.PkgRef
-			if vuln.PkgIdentifier.Empty() {
-				continue
+			if vuln.PkgIdentifier.PURL != nil {
+				want.Results[i].Vulnerabilities[j].PkgIdentifier.PURL = vuln.PkgIdentifier.PURL
 			}
-			want.Results[i].Vulnerabilities[j].PkgIdentifier = ftypes.PkgIdentifier{
-				PURL: vuln.PkgIdentifier.PURL,
+			if vuln.PkgIdentifier.BOMRef != "" {
+				want.Results[i].Vulnerabilities[j].PkgIdentifier.BOMRef = vuln.PkgIdentifier.BOMRef
 			}
 		}
 	}

integration/testdata/conda-spdx.json.golden

@@ -22,7 +22,7 @@
     },
     {
       "name": "openssl",
-      "SPDXID": "SPDXRef-Package-a4bad823866cc210",
+      "SPDXID": "SPDXRef-Package-38e5db7a21fc70a8",
       "versionInfo": "1.1.1q",
       "supplier": "NOASSERTION",
       "downloadLocation": "NONE",
@@ -43,7 +43,7 @@
     },
     {
       "name": "pip",
-      "SPDXID": "SPDXRef-Package-e8a0eb2c9979a021",
+      "SPDXID": "SPDXRef-Package-f9844c873ead5dbe",
       "versionInfo": "22.2.2",
       "supplier": "NOASSERTION",
       "downloadLocation": "NONE",
@@ -110,21 +110,21 @@
     },
     {
       "spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125",
-      "relatedSpdxElement": "SPDXRef-Package-a4bad823866cc210",
+      "relatedSpdxElement": "SPDXRef-Package-38e5db7a21fc70a8",
       "relationshipType": "CONTAINS"
     },
     {
-      "spdxElementId": "SPDXRef-Package-a4bad823866cc210",
+      "spdxElementId": "SPDXRef-Package-38e5db7a21fc70a8",
       "relatedSpdxElement": "SPDXRef-File-600e5e0110a84891",
       "relationshipType": "CONTAINS"
     },
     {
       "spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125",
-      "relatedSpdxElement": "SPDXRef-Package-e8a0eb2c9979a021",
+      "relatedSpdxElement": "SPDXRef-Package-f9844c873ead5dbe",
       "relationshipType": "CONTAINS"
     },
     {
-      "spdxElementId": "SPDXRef-Package-e8a0eb2c9979a021",
+      "spdxElementId": "SPDXRef-Package-f9844c873ead5dbe",
       "relatedSpdxElement": "SPDXRef-File-7eb62e2a3edddc0a",
       "relationshipType": "CONTAINS"
     }

integration/testdata/fluentd-multiple-lockfiles.json.golden

@@ -29,14 +29,14 @@
           "VulnerabilityID": "CVE-2019-18276",
           "PkgName": "bash",
           "PkgIdentifier": {
-            "PURL": "pkg:deb/debian/[email protected]?distro=debian-10.2"
+            "PURL": "pkg:deb/debian/[email protected]?distro=debian-10.2",
+            "BOMRef": "pkg:deb/debian/[email protected]?distro=debian-10.2"
           },
           "InstalledVersion": "5.0-4",
           "Status": "affected",
           "Layer": {},
           "SeveritySource": "debian",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18276",
-          "PkgRef": "pkg:deb/debian/[email protected]?distro=debian-10.2",
           "DataSource": {
             "ID": "debian",
             "Name": "Debian Security Tracker",
@@ -92,15 +92,15 @@
           ],
           "PkgName": "libidn2-0",
           "PkgIdentifier": {
-            "PURL": "pkg:deb/debian/[email protected]?distro=debian-10.2"
+            "PURL": "pkg:deb/debian/[email protected]?distro=debian-10.2",
+            "BOMRef": "pkg:deb/debian/[email protected]?distro=debian-10.2"
           },
           "InstalledVersion": "2.0.5-1",
           "FixedVersion": "2.0.5-1+deb10u1",
           "Status": "fixed",
           "Layer": {},
           "SeveritySource": "nvd",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2019-18224",
-          "PkgRef": "pkg:deb/debian/[email protected]?distro=debian-10.2",
           "DataSource": {
             "ID": "debian",
             "Name": "Debian Security Tracker",
@@ -161,15 +161,15 @@
           "PkgName": "activesupport",
           "PkgPath": "var/lib/gems/2.5.0/specifications/activesupport-6.0.2.1.gemspec",
           "PkgIdentifier": {
-            "PURL": "pkg:gem/[email protected]"
+            "PURL": "pkg:gem/[email protected]",
+            "BOMRef": "pkg:gem/[email protected]?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Factivesupport-6.0.2.1.gemspec"
           },
           "InstalledVersion": "6.0.2.1",
           "FixedVersion": "6.0.3.1, 5.2.4.3",
           "Status": "fixed",
           "Layer": {},
           "SeveritySource": "ghsa",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2020-8165",
-          "PkgRef": "pkg:gem/[email protected]?file_path=var%2Flib%2Fgems%2F2.5.0%2Fspecifications%2Factivesupport-6.0.2.1.gemspec",
           "DataSource": {
             "ID": "ghsa",
             "Name": "GitHub Security Advisory RubyGems",

integration/testdata/minikube-kbom.json.golden

@@ -34,15 +34,15 @@
           "VulnerabilityID": "CVE-2023-2431",
           "PkgName": "k8s.io/kubelet",
           "PkgIdentifier": {
-            "PURL": "pkg:k8s/k8s.io%[email protected]"
+            "PURL": "pkg:k8s/k8s.io%[email protected]",
+            "BOMRef": "pkg:k8s/k8s.io%[email protected]"
           },
           "InstalledVersion": "1.27.0",
           "FixedVersion": "1.24.14, 1.25.9, 1.26.4, 1.27.1",
           "Status": "fixed",
           "Layer": {},
           "SeveritySource": "k8s",
           "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-2431",
-          "PkgRef": "pkg:k8s/k8s.io%[email protected]",
           "DataSource": {
             "ID": "k8s",
             "Name": "Official Kubernetes CVE Feed",

pkg/detector/library/detect.go

@@ -33,7 +33,6 @@ func detect(driver Driver, libs []ftypes.Package) ([]types.DetectedVulnerability
 		for i := range vulns {
 			vulns[i].Layer = lib.Layer
 			vulns[i].PkgPath = lib.FilePath
-			vulns[i].PkgRef = lib.Ref
 			vulns[i].PkgIdentifier = lib.Identifier
 		}
 		vulnerabilities = append(vulnerabilities, vulns...)

pkg/detector/ospkg/alma/alma.go

@@ -90,7 +90,6 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
 					PkgName:          pkg.Name,
 					InstalledVersion: installed,
 					FixedVersion:     fixedVersion.String(),
-					PkgRef:           pkg.Ref,
 					PkgIdentifier:    pkg.Identifier,
 					Layer:            pkg.Layer,
 					DataSource:       adv.DataSource,

pkg/detector/ospkg/alpine/alpine.go

@@ -130,7 +130,6 @@ func (s *Scanner) Detect(osVer string, repo *ftypes.Repository, pkgs []ftypes.Pa
 				InstalledVersion: utils.FormatVersion(pkg),
 				FixedVersion:     adv.FixedVersion,
 				Layer:            pkg.Layer,
-				PkgRef:           pkg.Ref,
 				PkgIdentifier:    pkg.Identifier,
 				Custom:           adv.Custom,
 				DataSource:       adv.DataSource,

pkg/detector/ospkg/amazon/amazon.go

@@ -103,7 +103,6 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
 					PkgName:          pkg.Name,
 					InstalledVersion: installed,
 					FixedVersion:     adv.FixedVersion,
-					PkgRef:           pkg.Ref,
 					PkgIdentifier:    pkg.Identifier,
 					Layer:            pkg.Layer,
 					Custom:           adv.Custom,

pkg/detector/ospkg/chainguard/chainguard.go

@@ -81,7 +81,6 @@ func (s *Scanner) Detect(_ string, _ *ftypes.Repository, pkgs []ftypes.Package)
 				InstalledVersion: installed,
 				FixedVersion:     adv.FixedVersion,
 				Layer:            pkg.Layer,
-				PkgRef:           pkg.Ref,
 				PkgIdentifier:    pkg.Identifier,
 				Custom:           adv.Custom,
 				DataSource:       adv.DataSource,

pkg/detector/ospkg/debian/debian.go

@@ -103,7 +103,6 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
 				PkgName:          pkg.Name,
 				InstalledVersion: utils.FormatVersion(pkg),
 				FixedVersion:     adv.FixedVersion,
-				PkgRef:           pkg.Ref,
 				PkgIdentifier:    pkg.Identifier,
 				Status:           adv.Status,
 				Layer:            pkg.Layer,

pkg/detector/ospkg/mariner/mariner.go

@@ -49,7 +49,6 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
 				VulnerabilityID:  adv.VulnerabilityID,
 				PkgName:          pkg.Name,
 				InstalledVersion: utils.FormatVersion(pkg),
-				PkgRef:           pkg.Ref,
 				PkgIdentifier:    pkg.Identifier,
 				Layer:            pkg.Layer,
 				DataSource:       adv.DataSource,

pkg/detector/ospkg/oracle/oracle.go

@@ -86,7 +86,6 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
 				PkgID:            pkg.ID,
 				PkgName:          pkg.Name,
 				InstalledVersion: installed,
-				PkgRef:           pkg.Ref,
 				PkgIdentifier:    pkg.Identifier,
 				Layer:            pkg.Layer,
 				Custom:           adv.Custom,

pkg/detector/ospkg/photon/photon.go

@@ -81,7 +81,6 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
 				PkgID:            pkg.ID,
 				PkgName:          pkg.Name,
 				InstalledVersion: installed,
-				PkgRef:           pkg.Ref,
 				PkgIdentifier:    pkg.Identifier,
 				Layer:            pkg.Layer,
 				Custom:           adv.Custom,

pkg/detector/ospkg/redhat/redhat.go

@@ -157,7 +157,6 @@ func (s *Scanner) detect(osVer string, pkg ftypes.Package) ([]types.DetectedVuln
 			PkgID:            pkg.ID,
 			PkgName:          pkg.Name,
 			InstalledVersion: utils.FormatVersion(pkg),
-			PkgRef:           pkg.Ref,
 			PkgIdentifier:    pkg.Identifier,
 			Status:           adv.Status,
 			Layer:            pkg.Layer,

pkg/detector/ospkg/rocky/rocky.go

@@ -90,7 +90,6 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
 					PkgName:          pkg.Name,
 					InstalledVersion: installed,
 					FixedVersion:     fixedVersion.String(),
-					PkgRef:           pkg.Ref,
 					PkgIdentifier:    pkg.Identifier,
 					Layer:            pkg.Layer,
 					DataSource:       adv.DataSource,

pkg/detector/ospkg/suse/suse.go

@@ -133,7 +133,6 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
 				PkgID:            pkg.ID,
 				PkgName:          pkg.Name,
 				InstalledVersion: installed,
-				PkgRef:           pkg.Ref,
 				PkgIdentifier:    pkg.Identifier,
 				Layer:            pkg.Layer,
 				Custom:           adv.Custom,

pkg/detector/ospkg/ubuntu/ubuntu.go

@@ -123,7 +123,6 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
 				PkgName:          pkg.Name,
 				InstalledVersion: utils.FormatVersion(pkg),
 				FixedVersion:     adv.FixedVersion,
-				PkgRef:           pkg.Ref,
 				PkgIdentifier:    pkg.Identifier,
 				Layer:            pkg.Layer,
 				Custom:           adv.Custom,

pkg/detector/ospkg/wolfi/wolfi.go

@@ -81,7 +81,6 @@ func (s *Scanner) Detect(_ string, _ *ftypes.Repository, pkgs []ftypes.Package)
 				InstalledVersion: installed,
 				FixedVersion:     adv.FixedVersion,
 				Layer:            pkg.Layer,
-				PkgRef:           pkg.Ref,
 				PkgIdentifier:    pkg.Identifier,
 				Custom:           adv.Custom,
 				DataSource:       adv.DataSource,