From aeb7039d7ce090e243d29f0bf16c9e4e24252a01 Mon Sep 17 00:00:00 2001
From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com>
Date: Wed, 18 Sep 2024 12:08:12 +0600
Subject: [PATCH] fix(sbom): parse type `framework` as `library` when
 unmarshalling `CycloneDX` files (#7527)

---
 pkg/sbom/cyclonedx/testdata/happy/third-party-bom.json | 2 +-
 pkg/sbom/cyclonedx/unmarshal.go                        | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/pkg/sbom/cyclonedx/testdata/happy/third-party-bom.json b/pkg/sbom/cyclonedx/testdata/happy/third-party-bom.json
index d8b5068f5cc0..281d3c4fcc30 100644
--- a/pkg/sbom/cyclonedx/testdata/happy/third-party-bom.json
+++ b/pkg/sbom/cyclonedx/testdata/happy/third-party-bom.json
@@ -46,7 +46,7 @@
     },
     {
       "bom-ref": "pkg:composer/pear/pear_exception@v1.0.0",
-      "type": "library",
+      "type": "framework",
       "name": "pear/pear_exception",
       "version": "v1.0.0",
       "purl": "pkg:composer/pear/pear_exception@v1.0.0"
diff --git a/pkg/sbom/cyclonedx/unmarshal.go b/pkg/sbom/cyclonedx/unmarshal.go
index 71a0ee27b640..de410d008794 100644
--- a/pkg/sbom/cyclonedx/unmarshal.go
+++ b/pkg/sbom/cyclonedx/unmarshal.go
@@ -166,7 +166,10 @@ func (b *BOM) unmarshalType(t cdx.ComponentType) (core.ComponentType, error) {
 		ctype = core.TypeContainerImage
 	case cdx.ComponentTypeApplication:
 		ctype = core.TypeApplication
-	case cdx.ComponentTypeLibrary:
+	// There are not many differences between a `library` and a `framework` components, and sometimes it is difficult to choose the right type.
+	// That is why some users choose `framework` type.
+	// So we should parse and scan `framework` components as libraries.
+	case cdx.ComponentTypeLibrary, cdx.ComponentTypeFramework:
 		ctype = core.TypeLibrary
 	case cdx.ComponentTypeOS:
 		ctype = core.TypeOS