fix: add root node to the merged sbom

SBOM data was previously missing data from the root node of the
dependency graph when merged. Fixed merge to include this node as well

Signed-off-by: Richard Kelly <rpkelly@amazon.com>

Author: rpkelly

sbomtool/cmd/sbomtool/main.go

@@ -9,6 +9,7 @@ import (
 	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/syft/syft/sbom"
 	"github.com/spf13/cobra"
+	_ "modernc.org/sqlite"
 
 	"github.com/bottlerocket-os/bottlerocket-sdk/sbomtool/go/internal/commands/filter"
 	"github.com/bottlerocket-os/bottlerocket-sdk/sbomtool/go/internal/commands/generate"

sbomtool/go.mod

@@ -109,6 +109,9 @@ func Generate(name string, spdx bool, cyclonedx bool, buildDir string, outDir st
 		return false, fmt.Errorf("failed to create SBOM: %w", err)
 	}
 
+	// Set the source name from the --name parameter so it appears in metadata.component
+	sbomData.Source.Name = name
+
 	if spdx {
 		slog.Info("Generating SPDX SBOM", "name", name)
 		if err := createSpdxSbom(*sbomData, name, outDir); err != nil {

sbomtool/go.sum

@@ -12,6 +12,7 @@ import (
 	"github.com/anchore/syft/syft/artifact"
 	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/syft/syft/sbom"
+	"github.com/anchore/syft/syft/source"
 
 	"github.com/bottlerocket-os/bottlerocket-sdk/sbomtool/go/internal/deduplication"
 	"github.com/bottlerocket-os/bottlerocket-sdk/sbomtool/go/internal/processor"
@@ -136,25 +137,60 @@ func loadSBOMs(inputFiles []string) ([]*sbom.SBOM, string, error) {
 	return sboms, commonFormat, nil
 }
 
+// sourceToPackage converts an SBOM's Source (metadata.component) to a package.
+// This ensures the subject of each input SBOM is preserved in the merged output.
+func sourceToPackage(src source.Description) *pkg.Package {
+	if src.Name == "" {
+		return nil
+	}
+
+	p := pkg.Package{
+		Name:    src.Name,
+		Version: src.Version,
+		Type:    pkg.UnknownPkg,
+	}
+	p.SetID()
+
+	slog.Debug("Converted source to package", "name", src.Name, "version", src.Version)
+	return &p
+}
+
 // mergeSBOMs combines SBOM metadata and extracts all packages and relationships.
+// Each input SBOM's Source (metadata.component) is converted to a package to preserve
+// the subject of each SBOM in the merged output. Contains relationships are created
+// from the source package to all packages in that SBOM.
 func mergeSBOMs(sboms []*sbom.SBOM) (*sbom.SBOM, []pkg.Package, []artifact.Relationship) {
 	if len(sboms) == 0 {
 		return &sbom.SBOM{}, nil, nil
 	}
 
-	// Use first SBOM as base
+	// Use first SBOM as base for descriptor
 	merged := &sbom.SBOM{
 		Descriptor: sboms[0].Descriptor,
-		Source:     sboms[0].Source,
 	}
 
 	var allPackages []pkg.Package
 	var allRelationships []artifact.Relationship
 
-	// Collect all packages and relationships
+	// Collect all packages and relationships, including Source as a package
 	for _, s := range sboms {
-		allPackages = append(allPackages, s.Artifacts.Packages.Sorted()...)
+		sbomPackages := s.Artifacts.Packages.Sorted()
+		allPackages = append(allPackages, sbomPackages...)
 		allRelationships = append(allRelationships, s.Relationships...)
+
+		// Convert Source (metadata.component) to a package and create contains relationships
+		if srcPkg := sourceToPackage(s.Source); srcPkg != nil {
+			allPackages = append(allPackages, *srcPkg)
+
+			// Create "contains" relationships from source to each package in this SBOM
+			for _, p := range sbomPackages {
+				allRelationships = append(allRelationships, artifact.Relationship{
+					From: *srcPkg,
+					To:   p,
+					Type: artifact.ContainsRelationship,
+				})
+			}
+		}
 	}
 
 	slog.Debug("SBOM merge phase completed",
@@ -174,7 +210,6 @@ func createFinalSBOM(base *sbom.SBOM, canonicalPackages map[string]*pkg.Package,
 
 	return &sbom.SBOM{
 		Descriptor: base.Descriptor,
-		Source:     base.Source,
 		Artifacts: sbom.Artifacts{
 			Packages: collection,
 		},

sbomtool/go.work.sum

@@ -143,8 +143,10 @@ func TestMergeSBOMs(t *testing.T) {
 					createTestPackage("pkg3", "3.0.0", ""),
 				}),
 			},
-			expectedPackageCount:      4,
-			expectedRelationshipCount: 2,
+			// 4 original packages + 2 source packages (test1, test2) = 6
+			// 2 original relationships + 4 contains relationships (2 pkgs × 2 sources) = 6
+			expectedPackageCount:      6,
+			expectedRelationshipCount: 6,
 		},
 		{
 			name:                      "empty SBOM slice",
@@ -259,3 +261,122 @@ func createTestPackagePtr(name, version, cpeStr string) *pkg.Package {
 	p := createTestPackage(name, version, cpeStr)
 	return &p
 }
+
+func TestSourceToPackage(t *testing.T) {
+	// GIVEN: Various source descriptions
+	// WHEN: sourceToPackage is called
+	// THEN: Appropriate packages should be created
+
+	tests := []struct {
+		name       string
+		src        source.Description
+		expectNil  bool
+		expectName string
+		expectVer  string
+	}{
+		{
+			name:       "valid source with name and version",
+			src:        source.Description{Name: "libelf", Version: "0.194"},
+			expectNil:  false,
+			expectName: "libelf",
+			expectVer:  "0.194",
+		},
+		{
+			name:       "valid source with name only",
+			src:        source.Description{Name: "mypackage"},
+			expectNil:  false,
+			expectName: "mypackage",
+			expectVer:  "",
+		},
+		{
+			name:      "empty source",
+			src:       source.Description{},
+			expectNil: true,
+		},
+		{
+			name:      "source with empty name",
+			src:       source.Description{Name: "", Version: "1.0"},
+			expectNil: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := sourceToPackage(tt.src)
+
+			if tt.expectNil {
+				if result != nil {
+					t.Errorf("expected nil, got package with name %s", result.Name)
+				}
+				return
+			}
+
+			if result == nil {
+				t.Fatal("expected package, got nil")
+			}
+
+			if result.Name != tt.expectName {
+				t.Errorf("expected name %s, got %s", tt.expectName, result.Name)
+			}
+
+			if result.Version != tt.expectVer {
+				t.Errorf("expected version %s, got %s", tt.expectVer, result.Version)
+			}
+		})
+	}
+}
+
+func TestMergeSBOMsPreservesSource(t *testing.T) {
+	// GIVEN: Multiple SBOMs with Source (metadata.component) set
+	// WHEN: mergeSBOMs is called
+	// THEN: Source from each SBOM should be converted to a package with contains relationships
+
+	sbom1 := createTestSBOM("sbom1", []pkg.Package{
+		createTestPackage("pkg1", "1.0.0", ""),
+	})
+	sbom1.Source = source.Description{Name: "libelf", Version: "0.194"}
+
+	sbom2 := createTestSBOM("sbom2", []pkg.Package{
+		createTestPackage("pkg2", "2.0.0", ""),
+	})
+	sbom2.Source = source.Description{Name: "glibc", Version: "2.38"}
+
+	_, packages, relationships := mergeSBOMs([]*sbom.SBOM{sbom1, sbom2})
+
+	// Should have: pkg1, pkg2, libelf (from source), glibc (from source) = 4 packages
+	if len(packages) != 4 {
+		t.Errorf("expected 4 packages (2 original + 2 from source), got %d", len(packages))
+	}
+
+	// Verify libelf and glibc are in the packages
+	foundLibelf := false
+	foundGlibc := false
+	for _, p := range packages {
+		if p.Name == "libelf" && p.Version == "0.194" {
+			foundLibelf = true
+		}
+		if p.Name == "glibc" && p.Version == "2.38" {
+			foundGlibc = true
+		}
+	}
+
+	if !foundLibelf {
+		t.Error("expected libelf package from source, not found")
+	}
+	if !foundGlibc {
+		t.Error("expected glibc package from source, not found")
+	}
+
+	// Verify contains relationships were created
+	// Each SBOM has 1 package + 1 existing relationship from createTestSBOM
+	// Plus 1 contains relationship from source to package = 2 contains relationships total
+	containsCount := 0
+	for _, rel := range relationships {
+		if rel.Type == artifact.ContainsRelationship {
+			containsCount++
+		}
+	}
+	if containsCount != 2 {
+		t.Errorf("expected 2 contains relationships (one per source), got %d", containsCount)
+	}
+}