fix(cyclonedx): incompliant affect ref (#3679)

2026-01-31 13:53:14 +08:00 · 2023-02-26 23:04:29 +09:00
parent d85a3e087b
commit 33909d9df3
10 changed files with 1685 additions and 392 deletions
--- a/go.mod
+++ b/go.mod
@@ -47,7 +47,7 @@ require (
 	github.com/hashicorp/golang-lru/v2 v2.0.1
 	github.com/in-toto/in-toto-golang v0.5.0
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f
-	github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d
+	github.com/knqyf263/go-deb-version v0.0.0-20230223133812-3ed183d23422
 	github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075
 	github.com/kylelemons/godebug v1.1.0
 	github.com/mailru/easyjson v0.7.7
--- a/go.sum
+++ b/go.sum
@@ -1202,8 +1202,8 @@ github.com/klauspost/compress v1.15.12 h1:YClS/PImqYbn+UILDnqxQCZ3RehC9N318SU3kE
 github.com/klauspost/compress v1.15.12/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM=
 github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f h1:GvCU5GXhHq+7LeOzx/haG7HSIZokl3/0GkoUFzsRJjg=
 github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f/go.mod h1:q59u9px8b7UTj0nIjEjvmTWekazka6xIt6Uogz5Dm+8=
-github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d h1:X4cedH4Kn3JPupAwwWuo4AzYp16P0OyLO9d7OnMZc/c=
-github.com/knqyf263/go-deb-version v0.0.0-20190517075300-09fca494f03d/go.mod h1:o8sgWoz3JADecfc/cTYD92/Et1yMqMy0utV1z+VaZao=
+github.com/knqyf263/go-deb-version v0.0.0-20230223133812-3ed183d23422 h1:PPPlUUqPP6fLudIK4n0l0VU4KT2cQGnheW9x8pNiCHI=
+github.com/knqyf263/go-deb-version v0.0.0-20230223133812-3ed183d23422/go.mod h1:ijAmSS4jErO6+KRzcK6ixsm3Vt96hMhJ+W+x+VmbrQA=
 github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075 h1:aC6MEAs3PE3lWD7lqrJfDxHd6hcced9R4JTZu85cJwU=
 github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075/go.mod h1:i4sF0l1fFnY1aiw08QQSwVAFxHEm311Me3WsU/X7nL0=
 github.com/knqyf263/go-rpmdb v0.0.0-20230201142403-697bc51b3948 h1:gYyAaKRpnnV3PhR1XWvIKD0UjCnYB4fubIf2pB2NiUI=
--- a/pkg/detector/ospkg/alpine/alpine.go
+++ b/pkg/detector/ospkg/alpine/alpine.go
@@ -113,22 +113,21 @@ func (s *Scanner) Detect(osVer string, repo *ftypes.Repository, pkgs []ftypes.Pa
 			return nil, xerrors.Errorf("failed to get alpine advisories: %w", err)
 		}

-		installed := utils.FormatSrcVersion(pkg)
-		installedVersion, err := version.NewVersion(installed)
+		sourceVersion, err := version.NewVersion(utils.FormatSrcVersion(pkg))
 		if err != nil {
 			log.Logger.Debugf("failed to parse Alpine Linux installed package version: %s", err)
 			continue
 		}

 		for _, adv := range advisories {
-			if !s.isVulnerable(installedVersion, adv) {
+			if !s.isVulnerable(sourceVersion, adv) {
 				continue
 			}
 			vulns = append(vulns, types.DetectedVulnerability{
 				VulnerabilityID:  adv.VulnerabilityID,
 				PkgID:            pkg.ID,
 				PkgName:          pkg.Name,
-				InstalledVersion: installed,
+				InstalledVersion: utils.FormatVersion(pkg),
 				FixedVersion:     adv.FixedVersion,
 				Layer:            pkg.Layer,
 				Ref:              pkg.Ref,
--- a/pkg/detector/ospkg/debian/debian.go
+++ b/pkg/detector/ospkg/debian/debian.go
@@ -85,8 +85,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa

 	var vulns []types.DetectedVulnerability
 	for _, pkg := range pkgs {
-		installed := utils.FormatSrcVersion(pkg)
-		installedVersion, err := version.NewVersion(installed)
+		sourceVersion, err := version.NewVersion(utils.FormatSrcVersion(pkg))
 		if err != nil {
 			log.Logger.Debugf("Debian installed package version error: %s", err)
 			continue
@@ -103,7 +102,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
 				VendorIDs:        adv.VendorIDs,
 				PkgID:            pkg.ID,
 				PkgName:          pkg.Name,
-				InstalledVersion: installed,
+				InstalledVersion: utils.FormatVersion(pkg),
 				FixedVersion:     adv.FixedVersion,
 				Ref:              pkg.Ref,
 				Layer:            pkg.Layer,
@@ -132,7 +131,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
 				continue
 			}

-			if installedVersion.LessThan(fixedVersion) {
+			if sourceVersion.LessThan(fixedVersion) {
 				vulns = append(vulns, vuln)
 			}
 		}
--- a/pkg/detector/ospkg/mariner/mariner.go
+++ b/pkg/detector/ospkg/mariner/mariner.go
@@ -45,14 +45,13 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
 			return nil, xerrors.Errorf("failed to get CBL-Mariner advisories: %w", err)
 		}

-		installed := utils.FormatSrcVersion(pkg)
-		installedVersion := version.NewVersion(installed)
+		sourceVersion := version.NewVersion(utils.FormatSrcVersion(pkg))

 		for _, adv := range advisories {
 			vuln := types.DetectedVulnerability{
 				VulnerabilityID:  adv.VulnerabilityID,
 				PkgName:          pkg.Name,
-				InstalledVersion: installed,
+				InstalledVersion: utils.FormatVersion(pkg),
 				Ref:              pkg.Ref,
 				Layer:            pkg.Layer,
 				DataSource:       adv.DataSource,
@@ -66,7 +65,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa

 			// Patched vulnerabilities
 			fixedVersion := version.NewVersion(adv.FixedVersion)
-			if installedVersion.LessThan(fixedVersion) {
+			if sourceVersion.LessThan(fixedVersion) {
 				vuln.FixedVersion = fixedVersion.String()
 				vulns = append(vulns, vuln)
 			}
--- a/pkg/detector/ospkg/ubuntu/ubuntu.go
+++ b/pkg/detector/ospkg/ubuntu/ubuntu.go
@@ -105,8 +105,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
 			return nil, xerrors.Errorf("failed to get Ubuntu advisories: %w", err)
 		}

-		installed := utils.FormatSrcVersion(pkg)
-		installedVersion, err := version.NewVersion(installed)
+		sourceVersion, err := version.NewVersion(utils.FormatSrcVersion(pkg))
 		if err != nil {
 			log.Logger.Debugf("failed to parse Ubuntu installed package version: %w", err)
 			continue
@@ -117,7 +116,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
 				VulnerabilityID:  adv.VulnerabilityID,
 				PkgID:            pkg.ID,
 				PkgName:          pkg.Name,
-				InstalledVersion: installed,
+				InstalledVersion: utils.FormatVersion(pkg),
 				FixedVersion:     adv.FixedVersion,
 				Ref:              pkg.Ref,
 				Layer:            pkg.Layer,
@@ -136,7 +135,7 @@ func (s *Scanner) Detect(osVer string, _ *ftypes.Repository, pkgs []ftypes.Packa
 				continue
 			}

-			if installedVersion.LessThan(fixedVersion) {
+			if sourceVersion.LessThan(fixedVersion) {
 				vulns = append(vulns, vuln)
 			}
 		}
--- a/pkg/fanal/analyzer/pkg/dpkg/dpkg.go
+++ b/pkg/fanal/analyzer/pkg/dpkg/dpkg.go
@@ -24,7 +24,7 @@ func init() {
 }

 const (
-	analyzerVersion = 3
+	analyzerVersion = 4

 	statusFile = "var/lib/dpkg/status"
 	statusDir  = "var/lib/dpkg/status.d/"
@@ -168,14 +168,19 @@ func (a dpkgAnalyzer) parseDpkgPkg(scanner *bufio.Scanner) (pkg *types.Package)

 	if name == "" || version == "" || !isInstalled {
 		return nil
-	} else if !debVersion.Valid(version) {
-		log.Logger.Warnf("Invalid Version Found : OS %s, Package %s, Version %s", "debian", name, version)
+	}
+
+	v, err := debVersion.NewVersion(version)
+	if err != nil {
+		log.Logger.Warnf("Invalid Version: OS %s, Package %s, Version %s", "debian", name, version)
 		return nil
 	}
 	pkg = &types.Package{
 		ID:         a.pkgID(name, version),
 		Name:       name,
-		Version:    version,
+		Epoch:      v.Epoch(),
+		Version:    v.Version(),
+		Release:    v.Revision(),
 		DependsOn:  dependencies, // Will be consolidated later
 		Maintainer: maintainer,
 	}
@@ -194,12 +199,15 @@ func (a dpkgAnalyzer) parseDpkgPkg(scanner *bufio.Scanner) (pkg *types.Package)
 		sourceVersion = version
 	}

-	if !debVersion.Valid(sourceVersion) {
-		log.Logger.Warnf("Invalid Version Found : OS %s, Package %s, Version %s", "debian", sourceName, sourceVersion)
-		return pkg
+	sv, err := debVersion.NewVersion(sourceVersion)
+	if err != nil {
+		log.Logger.Warnf("Invalid SourceVersion Found : OS %s, Package %s, Version %s", "debian", sourceName, sourceVersion)
+		return nil
 	}
 	pkg.SrcName = sourceName
-	pkg.SrcVersion = sourceVersion
+	pkg.SrcVersion = sv.Version()
+	pkg.SrcEpoch = sv.Epoch()
+	pkg.SrcRelease = sv.Revision()

 	return pkg
 }
--- a/pkg/fanal/analyzer/pkg/dpkg/dpkg_test.go
+++ b/pkg/fanal/analyzer/pkg/dpkg/dpkg_test.go
--- a/pkg/fanal/artifact/image/image_test.go
+++ b/pkg/fanal/artifact/image/image_test.go
@@ -217,17 +217,17 @@ func TestArtifact_Inspect(t *testing.T) {
 			missingBlobsExpectation: cache.ArtifactCacheMissingBlobsExpectation{
 				Args: cache.ArtifactCacheMissingBlobsArgs{
 					ArtifactID: "sha256:c232b7d8ac8aa08aa767313d0b53084c4380d1c01a213a5971bdb039e6538313",
-					BlobIDs:    []string{"sha256:7499fcc2ebee2c9b403a67a4fdebbda1d0a846b66485c03f3b4d869c424f7255"},
+					BlobIDs:    []string{"sha256:c4d631f4c467a7202d13b02512358984489e8631dba57590cd6322087e0c1a30"},
 				},
 				Returns: cache.ArtifactCacheMissingBlobsReturns{
 					MissingArtifact: true,
-					MissingBlobIDs:  []string{"sha256:7499fcc2ebee2c9b403a67a4fdebbda1d0a846b66485c03f3b4d869c424f7255"},
+					MissingBlobIDs:  []string{"sha256:c4d631f4c467a7202d13b02512358984489e8631dba57590cd6322087e0c1a30"},
 				},
 			},
 			putBlobExpectations: []cache.ArtifactCachePutBlobExpectation{
 				{
 					Args: cache.ArtifactCachePutBlobArgs{
-						BlobID: "sha256:7499fcc2ebee2c9b403a67a4fdebbda1d0a846b66485c03f3b4d869c424f7255",
+						BlobID: "sha256:c4d631f4c467a7202d13b02512358984489e8631dba57590cd6322087e0c1a30",
 						BlobInfo: types.BlobInfo{
 							SchemaVersion: types.BlobJSONSchemaVersion,
 							Digest:        "",
@@ -294,7 +294,7 @@ func TestArtifact_Inspect(t *testing.T) {
 				Name:    "../../test/testdata/alpine-311.tar.gz",
 				Type:    types.ArtifactContainerImage,
 				ID:      "sha256:c232b7d8ac8aa08aa767313d0b53084c4380d1c01a213a5971bdb039e6538313",
-				BlobIDs: []string{"sha256:7499fcc2ebee2c9b403a67a4fdebbda1d0a846b66485c03f3b4d869c424f7255"},
+				BlobIDs: []string{"sha256:c4d631f4c467a7202d13b02512358984489e8631dba57590cd6322087e0c1a30"},
 				ImageMetadata: types.ImageMetadata{
 					ID: "sha256:a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72",
 					DiffIDs: []string{
@@ -353,25 +353,25 @@ func TestArtifact_Inspect(t *testing.T) {
 				Args: cache.ArtifactCacheMissingBlobsArgs{
 					ArtifactID: "sha256:33f9415ed2cd5a9cef5d5144333619745b9ec0f851f0684dd45fa79c6b26a650",
 					BlobIDs: []string{
-						"sha256:0f64152e3c6ae87b21d4bdd1725bcf1acd4deb613e05a8b31b8c7631d4ac38a3",
-						"sha256:d0baf11bfd2bb23d66b9168d4349290bd01fb45518c17107ee7c2793cde4eeb8",
-						"sha256:8cf65b3504af552bf010ff9765a13abbd21a3b8203563ea9426d7964f2aee98a",
-						"sha256:992b2404a25612b71887531933b4fb4cd6031ebb671df3fde834c5574d62958b",
+						"sha256:ec335b892592429be1caac2726b82a14a65252cb7b2dc3fd65d7b131e6afebac",
+						"sha256:695b29fc394347e9523663f10627032876245ee4f789c5080ccde596deafcc53",
+						"sha256:1266461fba5ebc83c3ac3c983d027d636b1d49d4983dd60923bcc2ad36179257",
+						"sha256:0f6542bb1fbd05fb37bdfca6c023b9320364a2887c446b0d1d9245222edf519e",
 					},
 				},
 				Returns: cache.ArtifactCacheMissingBlobsReturns{
 					MissingBlobIDs: []string{
-						"sha256:0f64152e3c6ae87b21d4bdd1725bcf1acd4deb613e05a8b31b8c7631d4ac38a3",
-						"sha256:d0baf11bfd2bb23d66b9168d4349290bd01fb45518c17107ee7c2793cde4eeb8",
-						"sha256:8cf65b3504af552bf010ff9765a13abbd21a3b8203563ea9426d7964f2aee98a",
-						"sha256:992b2404a25612b71887531933b4fb4cd6031ebb671df3fde834c5574d62958b",
+						"sha256:ec335b892592429be1caac2726b82a14a65252cb7b2dc3fd65d7b131e6afebac",
+						"sha256:695b29fc394347e9523663f10627032876245ee4f789c5080ccde596deafcc53",
+						"sha256:1266461fba5ebc83c3ac3c983d027d636b1d49d4983dd60923bcc2ad36179257",
+						"sha256:0f6542bb1fbd05fb37bdfca6c023b9320364a2887c446b0d1d9245222edf519e",
 					},
 				},
 			},
 			putBlobExpectations: []cache.ArtifactCachePutBlobExpectation{
 				{
 					Args: cache.ArtifactCachePutBlobArgs{
-						BlobID: "sha256:0f64152e3c6ae87b21d4bdd1725bcf1acd4deb613e05a8b31b8c7631d4ac38a3",
+						BlobID: "sha256:ec335b892592429be1caac2726b82a14a65252cb7b2dc3fd65d7b131e6afebac",
 						BlobInfo: types.BlobInfo{
 							SchemaVersion: types.BlobJSONSchemaVersion,
 							Digest:        "",
@@ -414,9 +414,11 @@ func TestArtifact_Inspect(t *testing.T) {
 										{
 											ID:         "tzdata@2019a-0+deb9u1",
 											Name:       "tzdata",
-											Version:    "2019a-0+deb9u1",
+											Version:    "2019a",
 											SrcName:    "tzdata",
-											SrcVersion: "2019a-0+deb9u1",
+											Release:    "0+deb9u1",
+											SrcVersion: "2019a",
+											SrcRelease: "0+deb9u1",
 											Maintainer: "GNU Libc Maintainers <debian-glibc@lists.debian.org>",
 										},
 									},
@@ -454,7 +456,7 @@ func TestArtifact_Inspect(t *testing.T) {
 				},
 				{
 					Args: cache.ArtifactCachePutBlobArgs{
-						BlobID: "sha256:d0baf11bfd2bb23d66b9168d4349290bd01fb45518c17107ee7c2793cde4eeb8",
+						BlobID: "sha256:695b29fc394347e9523663f10627032876245ee4f789c5080ccde596deafcc53",
 						BlobInfo: types.BlobInfo{
 							SchemaVersion: types.BlobJSONSchemaVersion,
 							Digest:        "",
@@ -467,9 +469,11 @@ func TestArtifact_Inspect(t *testing.T) {
 										{
 											ID:         "libc6@2.24-11+deb9u4",
 											Name:       "libc6",
-											Version:    "2.24-11+deb9u4",
+											Version:    "2.24",
+											Release:    "11+deb9u4",
 											SrcName:    "glibc",
-											SrcVersion: "2.24-11+deb9u4",
+											SrcVersion: "2.24",
+											SrcRelease: "11+deb9u4",
 											Maintainer: "GNU Libc Maintainers <debian-glibc@lists.debian.org>",
 										},
 									},
@@ -480,9 +484,11 @@ func TestArtifact_Inspect(t *testing.T) {
 										{
 											ID:         "libssl1.1@1.1.0k-1~deb9u1",
 											Name:       "libssl1.1",
-											Version:    "1.1.0k-1~deb9u1",
+											Version:    "1.1.0k",
 											SrcName:    "openssl",
-											SrcVersion: "1.1.0k-1~deb9u1",
+											Release:    "1~deb9u1",
+											SrcVersion: "1.1.0k",
+											SrcRelease: "1~deb9u1",
 											Maintainer: "Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>",
 										},
 									},
@@ -493,9 +499,11 @@ func TestArtifact_Inspect(t *testing.T) {
 										{
 											ID:         "openssl@1.1.0k-1~deb9u1",
 											Name:       "openssl",
-											Version:    "1.1.0k-1~deb9u1",
+											Version:    "1.1.0k",
 											SrcName:    "openssl",
-											SrcVersion: "1.1.0k-1~deb9u1",
+											Release:    "1~deb9u1",
+											SrcVersion: "1.1.0k",
+											SrcRelease: "1~deb9u1",
 											Maintainer: "Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>",
 										},
 									},
@@ -541,7 +549,7 @@ func TestArtifact_Inspect(t *testing.T) {
 				},
 				{
 					Args: cache.ArtifactCachePutBlobArgs{
-						BlobID: "sha256:8cf65b3504af552bf010ff9765a13abbd21a3b8203563ea9426d7964f2aee98a",
+						BlobID: "sha256:1266461fba5ebc83c3ac3c983d027d636b1d49d4983dd60923bcc2ad36179257",
 						BlobInfo: types.BlobInfo{
 							SchemaVersion: types.BlobJSONSchemaVersion,
 							Digest:        "",
@@ -617,7 +625,7 @@ func TestArtifact_Inspect(t *testing.T) {
 				},
 				{
 					Args: cache.ArtifactCachePutBlobArgs{
-						BlobID: "sha256:992b2404a25612b71887531933b4fb4cd6031ebb671df3fde834c5574d62958b",
+						BlobID: "sha256:0f6542bb1fbd05fb37bdfca6c023b9320364a2887c446b0d1d9245222edf519e",
 						BlobInfo: types.BlobInfo{
 							SchemaVersion: types.BlobJSONSchemaVersion,
 							Digest:        "",
@@ -1426,10 +1434,10 @@ func TestArtifact_Inspect(t *testing.T) {
 				Type: types.ArtifactContainerImage,
 				ID:   "sha256:33f9415ed2cd5a9cef5d5144333619745b9ec0f851f0684dd45fa79c6b26a650",
 				BlobIDs: []string{
-					"sha256:0f64152e3c6ae87b21d4bdd1725bcf1acd4deb613e05a8b31b8c7631d4ac38a3",
-					"sha256:d0baf11bfd2bb23d66b9168d4349290bd01fb45518c17107ee7c2793cde4eeb8",
-					"sha256:8cf65b3504af552bf010ff9765a13abbd21a3b8203563ea9426d7964f2aee98a",
-					"sha256:992b2404a25612b71887531933b4fb4cd6031ebb671df3fde834c5574d62958b",
+					"sha256:ec335b892592429be1caac2726b82a14a65252cb7b2dc3fd65d7b131e6afebac",
+					"sha256:695b29fc394347e9523663f10627032876245ee4f789c5080ccde596deafcc53",
+					"sha256:1266461fba5ebc83c3ac3c983d027d636b1d49d4983dd60923bcc2ad36179257",
+					"sha256:0f6542bb1fbd05fb37bdfca6c023b9320364a2887c446b0d1d9245222edf519e",
 				},
 				ImageMetadata: types.ImageMetadata{
 					ID: "sha256:58701fd185bda36cab0557bb6438661831267aa4a9e0b54211c4d5317a48aff4",
@@ -1677,7 +1685,7 @@ func TestArtifact_Inspect(t *testing.T) {
 			missingBlobsExpectation: cache.ArtifactCacheMissingBlobsExpectation{
 				Args: cache.ArtifactCacheMissingBlobsArgs{
 					ArtifactID: "sha256:c232b7d8ac8aa08aa767313d0b53084c4380d1c01a213a5971bdb039e6538313",
-					BlobIDs:    []string{"sha256:7499fcc2ebee2c9b403a67a4fdebbda1d0a846b66485c03f3b4d869c424f7255"},
+					BlobIDs:    []string{"sha256:c4d631f4c467a7202d13b02512358984489e8631dba57590cd6322087e0c1a30"},
 				},
 				Returns: cache.ArtifactCacheMissingBlobsReturns{
 					Err: xerrors.New("MissingBlobs failed"),
@@ -1691,16 +1699,16 @@ func TestArtifact_Inspect(t *testing.T) {
 			missingBlobsExpectation: cache.ArtifactCacheMissingBlobsExpectation{
 				Args: cache.ArtifactCacheMissingBlobsArgs{
 					ArtifactID: "sha256:c232b7d8ac8aa08aa767313d0b53084c4380d1c01a213a5971bdb039e6538313",
-					BlobIDs:    []string{"sha256:7499fcc2ebee2c9b403a67a4fdebbda1d0a846b66485c03f3b4d869c424f7255"},
+					BlobIDs:    []string{"sha256:c4d631f4c467a7202d13b02512358984489e8631dba57590cd6322087e0c1a30"},
 				},
 				Returns: cache.ArtifactCacheMissingBlobsReturns{
-					MissingBlobIDs: []string{"sha256:7499fcc2ebee2c9b403a67a4fdebbda1d0a846b66485c03f3b4d869c424f7255"},
+					MissingBlobIDs: []string{"sha256:c4d631f4c467a7202d13b02512358984489e8631dba57590cd6322087e0c1a30"},
 				},
 			},
 			putBlobExpectations: []cache.ArtifactCachePutBlobExpectation{
 				{
 					Args: cache.ArtifactCachePutBlobArgs{
-						BlobID: "sha256:7499fcc2ebee2c9b403a67a4fdebbda1d0a846b66485c03f3b4d869c424f7255",
+						BlobID: "sha256:c4d631f4c467a7202d13b02512358984489e8631dba57590cd6322087e0c1a30",
 						BlobInfo: types.BlobInfo{
 							SchemaVersion: types.BlobJSONSchemaVersion,
 							Digest:        "",
@@ -1759,17 +1767,17 @@ func TestArtifact_Inspect(t *testing.T) {
 			missingBlobsExpectation: cache.ArtifactCacheMissingBlobsExpectation{
 				Args: cache.ArtifactCacheMissingBlobsArgs{
 					ArtifactID: "sha256:c232b7d8ac8aa08aa767313d0b53084c4380d1c01a213a5971bdb039e6538313",
-					BlobIDs:    []string{"sha256:7499fcc2ebee2c9b403a67a4fdebbda1d0a846b66485c03f3b4d869c424f7255"},
+					BlobIDs:    []string{"sha256:c4d631f4c467a7202d13b02512358984489e8631dba57590cd6322087e0c1a30"},
 				},
 				Returns: cache.ArtifactCacheMissingBlobsReturns{
 					MissingArtifact: true,
-					MissingBlobIDs:  []string{"sha256:7499fcc2ebee2c9b403a67a4fdebbda1d0a846b66485c03f3b4d869c424f7255"},
+					MissingBlobIDs:  []string{"sha256:c4d631f4c467a7202d13b02512358984489e8631dba57590cd6322087e0c1a30"},
 				},
 			},
 			putBlobExpectations: []cache.ArtifactCachePutBlobExpectation{
 				{
 					Args: cache.ArtifactCachePutBlobArgs{
-						BlobID: "sha256:7499fcc2ebee2c9b403a67a4fdebbda1d0a846b66485c03f3b4d869c424f7255",
+						BlobID: "sha256:c4d631f4c467a7202d13b02512358984489e8631dba57590cd6322087e0c1a30",
 						BlobInfo: types.BlobInfo{
 							SchemaVersion: types.BlobJSONSchemaVersion,
 							Digest:        "",
@@ -1860,4 +1868,4 @@ func TestArtifact_Inspect(t *testing.T) {
 			assert.Equal(t, tt.want, got)
 		})
 	}
-}
+}
--- a/pkg/fanal/test/integration/testdata/goldens/packages/debian-buster.json.golden
+++ b/pkg/fanal/test/integration/testdata/goldens/packages/debian-buster.json.golden