diff --git a/util/file.go b/util/file.go
index b4f44cf..266d720 100644
--- a/util/file.go
+++ b/util/file.go
@@ -9,6 +9,7 @@
 package util
 
 import (
+	"fmt"
 	"io"
 	"math/rand"
 	"os"
@@ -38,6 +39,23 @@ func ConformingFileName(fname string) bool {
 	return fname == CleanFileName(fname)
 }
 
+// IDMatchesFilename checks that filename can be derived from the value
+// of document/tracking/id extracted from doc using eval.
+// https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#51-filename
+func IDMatchesFilename(eval *PathEval, doc any, filename string) error {
+	var id string
+	if err := eval.Extract(`$.document.tracking.id`, StringMatcher(&id), false, doc); err != nil {
+		return fmt.Errorf("check that ID matches filename: %v", err)
+	}
+
+	if CleanFileName(id) != filename {
+		return fmt.Errorf("document/tracking/id %q does not match filename %s",
+			id, filename)
+	}
+
+	return nil
+}
+
 // PathExists returns true if path exits.
 func PathExists(path string) (bool, error) {
 	_, err := os.Stat(path)