feat(sbom): exclude PEP 770 SBOMs in .dist-info/sboms/ (#10033)

2026-01-31 13:53:14 +08:00 · 2026-01-12 15:08:05 +04:00
parent 7f71b577a0
commit 07ff7885df
2 changed files with 27 additions and 0 deletions
--- a/pkg/fanal/analyzer/sbom/sbom.go
+++ b/pkg/fanal/analyzer/sbom/sbom.go
@@ -76,6 +76,13 @@ func (a sbomAnalyzer) Analyze(ctx context.Context, input analyzer.AnalysisInput)
 }

 func (a sbomAnalyzer) Required(filePath string, _ os.FileInfo) bool {
+	// Exclude PEP 770 SBOMs in .dist-info/sboms/ directories.
+	// These are handled by the Python packaging analyzer instead.
+	// cf. https://peps.python.org/pep-0770/
+	if strings.Contains(filePath, ".dist-info/sboms/") {
+		return false
+	}
+
 	for _, suffix := range requiredSuffixes {
 		if strings.HasSuffix(filePath, suffix) {
 			return true
--- a/pkg/fanal/analyzer/sbom/sbom_test.go
+++ b/pkg/fanal/analyzer/sbom/sbom_test.go
@@ -384,6 +384,26 @@ func Test_packagingAnalyzer_Required(t *testing.T) {
 			filePath: "/test/result.json",
 			want:     false,
 		},
+		{
+			name:     "pep770 cdx.json in dist-info/sboms",
+			filePath: "python3.8/site-packages/xgboost-3.1.2.dist-info/sboms/auditwheel.cdx.json",
+			want:     false,
+		},
+		{
+			name:     "pep770 spdx.json in dist-info/sboms",
+			filePath: "python3.8/site-packages/xgboost-3.1.2.dist-info/sboms/auditwheel.spdx.json",
+			want:     false,
+		},
+		{
+			name:     "pep770 cdx in dist-info/sboms",
+			filePath: "python3.8/site-packages/xgboost-3.1.2.dist-info/sboms/auditwheel.cdx",
+			want:     false,
+		},
+		{
+			name:     "pep770 spdx in dist-info/sboms",
+			filePath: "python3.8/site-packages/xgboost-3.1.2.dist-info/sboms/auditwheel.spdx",
+			want:     false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {