fix(bom): check root parent

pkg/sbom/io/encode.go

@@ -417,20 +417,33 @@ func (*Encoder) belongToParent(pkg ftypes.Package, parents map[string]ftypes.Pac
 	//         All packages are included in the parent
 	// Case 3: Relationship: known , DependsOn: unknown (e.g., go.mod without $GOPATH)
 	//         All packages are included in the parent
-	// Case 4: Relationship: unknown, DependsOn: known (e.g., OS packages)
-	//         All packages are included in the parent even if they have parents
+	// Case 4: Relationship: unknown, DependsOn: known (e.g., GoBinaries, OS packages)
+	//         - There is root parent: false. Packages are included in the root package (e.g. GoBinaries).
+	//         - There is no root parent: true. All packages are included in the parent even if they have parents (e.g. OS packages).
 	switch {
 	// Case 1, 2 and 3
 	case len(parents[pkg.ID]) == 0:
 		return true
 	// Case 4
-	case pkg.Relationship == ftypes.RelationshipUnknown:
+	case pkg.Relationship == ftypes.RelationshipUnknown && !hasParentWithRootRelationship(pkg.ID, parents):
 		return true
 	default:
 		return false
 	}
 }
 
+// hasParentWithRootRelationship indicates that the parents contain the root package.
+// Defining this is necessary to avoid including packages in the parent package instead of the root package.
+// cf. https://github.com/aquasecurity/trivy/issues/8102
+func hasParentWithRootRelationship(id string, parents map[string]ftypes.Packages) bool {
+	for _, parent := range parents[id] {
+		if parent.Relationship == ftypes.RelationshipRoot {
+			return true
+		}
+	}
+	return false
+}
+
 func filterProperties(props []core.Property) []core.Property {
 	return lo.Filter(props, func(property core.Property, _ int) bool {
 		return !(property.Value == "" || (property.Name == core.PropertySrcEpoch && property.Value == "0"))