From 6cb271973e7bdcd2a297b96c16a3a13dd42296be Mon Sep 17 00:00:00 2001
From: Clement Bois <clement.bois@orange.com>
Date: Tue, 8 Aug 2023 14:20:48 +0200
Subject: [PATCH] fix: add component name to sbom

---
 README.md                      | 1 +
 kicker.json                    | 6 ++++++
 templates/gitlab-ci-python.yml | 3 ++-
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 081a429..8a4e920 100644
--- a/README.md
+++ b/README.md
@@ -243,6 +243,7 @@ It is bound to the `test` stage, and uses the following variables:
 | --------------------- | -------------------------------------- | ----------------- |
 | `PYTHON_SBOM_DISABLED` | Set to `true` to disable this job | _none_ |
 | `PYTHON_SBOM_SYFT_URL` | Url to the `tar.gz` package for `linux_amd64` of Syft to use (ex: `https://github.com/anchore/syft/releases/download/v0.62.3/syft_0.62.3_linux_amd64.tar.gz`)<br/>_When unset, the latest version will be used_ | _none_ |
+| `PYTHON_SBOM_NAME` | Component name of the emitted SBOM | `$CI_PROJECT_PATH/$PYTHON_PROJECT_DIR` |
 | `PYTHON_SBOM_OPTS` | Options for syft used for SBOM analysis | `--catalogers python-index-cataloger` |
 
 In addition to logs in the console, this job produces the following reports, kept for one week:
diff --git a/kicker.json b/kicker.json
index 65ac497..0aa1a7c 100644
--- a/kicker.json
+++ b/kicker.json
@@ -161,6 +161,12 @@
           "description": "Url to the `tar.gz` package for `linux_amd64` of Syft to use\n\n_When unset, the latest version will be used_",
           "advanced": true
         },
+        {
+          "name": "PYTHON_SBOM_NAME",
+          "description": "Component name of the emitted SBOM",
+          "default": "$CI_PROJECT_PATH/$PYTHON_PROJECT_DIR",
+          "advanced": true
+        },
         {
           "name": "PYTHON_SBOM_OPTS",
           "description": "Options for syft used for SBOM analysis",
diff --git a/templates/gitlab-ci-python.yml b/templates/gitlab-ci-python.yml
index 78b327d..46daf07 100644
--- a/templates/gitlab-ci-python.yml
+++ b/templates/gitlab-ci-python.yml
@@ -92,6 +92,7 @@ variables:
   PYTHON_TRIVY_IMAGE: "registry.hub.docker.com/aquasec/trivy:latest"
   PYTHON_TRIVY_ARGS: "--vuln-type library"
 
+  PYTHON_SBOM_NAME: "$CI_PROJECT_PATH/$PYTHON_PROJECT_DIR"
   PYTHON_SBOM_OPTS: "--catalogers python-index-cataloger"
 
   PYTHON_RELEASE_NEXT: "minor"
@@ -849,7 +850,7 @@ py-sbom:
         mkdir -p $PIP_CACHE_DIR
         mv ./syft $python_sbom_syft
       fi
-    - $python_sbom_syft dir:. $PYTHON_SBOM_OPTS -o cyclonedx-json > reports/py-sbom.cyclonedx.json
+    - $python_sbom_syft dir:. --source-name $PYTHON_SBOM_NAME $PYTHON_SBOM_OPTS -o cyclonedx-json > reports/py-sbom.cyclonedx.json
     - chmod a+r reports/py-sbom.cyclonedx.json
   artifacts:
     name: "Python SBOM from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
-- 
GitLab