From 7bc15e3d82aef435cd31fff5179a5356e7572fc5 Mon Sep 17 00:00:00 2001
From: Joel Rudsberg <joel.rudsberg@oracle.com>
Date: Thu, 11 Sep 2025 20:16:09 +0200
Subject: [PATCH] Native Image SBOM: Add Support for Locations Data (#4186)

Signed-off-by: Joel Rudsberg <joel.rudsberg@oracle.com>
---
 .../pkg/cataloger/java/graalvm_native_image_cataloger.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/syft/pkg/cataloger/java/graalvm_native_image_cataloger.go b/syft/pkg/cataloger/java/graalvm_native_image_cataloger.go
index a5d57911d..c9611b9da 100644
--- a/syft/pkg/cataloger/java/graalvm_native_image_cataloger.go
+++ b/syft/pkg/cataloger/java/graalvm_native_image_cataloger.go
@@ -508,7 +508,7 @@ func (ni nativeImagePE) fetchPkgs() (pkgs []pkg.Package, relationships []artifac
 }
 
 // fetchPkgs provides the packages available in a UnionReader.
-func fetchPkgs(reader unionreader.UnionReader, filename string) ([]pkg.Package, []artifact.Relationship) {
+func fetchPkgs(reader unionreader.UnionReader, location file.Location) ([]pkg.Package, []artifact.Relationship) {
 	var pkgs []pkg.Package
 	var relationships []artifact.Relationship
 	imageFormats := []func(string, io.ReaderAt) (nativeImage, error){newElf, newMachO, newPE}
@@ -520,6 +520,7 @@ func fetchPkgs(reader unionreader.UnionReader, filename string) ([]pkg.Package,
 		log.Debugf("failed to open the java native-image binary: %v", err)
 		return nil, nil
 	}
+	filename := location.RealPath
 	for _, r := range readers {
 		for _, makeNativeImage := range imageFormats {
 			ni, err := makeNativeImage(filename, r)
@@ -534,6 +535,10 @@ func fetchPkgs(reader unionreader.UnionReader, filename string) ([]pkg.Package,
 				log.Tracef("unable to extract SBOM from possible java native-image %s: %v", filename, err)
 				continue
 			}
+			// Associate extracted packages with the native image location
+			for i := range newPkgs {
+				newPkgs[i].Locations.Add(location)
+			}
 			pkgs = append(pkgs, newPkgs...)
 			relationships = append(relationships, newRelationships...)
 		}
@@ -574,6 +579,6 @@ func processLocation(location file.Location, resolver file.Resolver) ([]pkg.Pack
 	if err != nil {
 		return nil, nil, err
 	}
-	pkgs, relationships := fetchPkgs(reader, location.RealPath)
+	pkgs, relationships := fetchPkgs(reader, location)
 	return pkgs, relationships, nil
 }