Giters

kubernetes-sigs / bom

A utility to generate SPDX-compliant Bill of Materials manifests

Home Page:https://kubernetes-sigs.github.io/bom/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

SPDX2.2: bom generates SBOM with invalid value for packageVerificationCodeValue

surendrapathak opened this issue · comments

commented

What happened:

While applying quality checks on SBOMs, I found bom failing to adhere to the strict 2.2 spec for json format

bom generate --format json -i busybox > bom.spdx.json

results in the attached file with the invalid field -

"packageVerificationCode": {
        "packageVerificationCodeValue": ""
      }

However, this is a required field with a non-empty value when filesAnalyzed is true and for the attached SBOM, the field should be skipped (filesAnalyzed: false)

https://spdx.github.io/spdx-spec/v2.2.2/package-information/#79-package-verification-code-field

This causes other tools that rely on strict checks (such as [https://github.com/spdx/tools-python/blob/72780a48d830b29c5d8c85c27e9ddbf39c22b6f6/spdx/utils.py#L37-L39](https://github.com/spdx/tools-%5Bpython/blob/72780a48d830b29c5d8c85c27e9ddbf39c22b6f6/spdx/utils.py#L37-L39%5D(https://github.com/spdx/tools-python/blob/f934ae27cc76c20f8e701bf2503e3ea521a9bb88/spdx/parsers/jsonyamlxml.py#L1295))) to barf.

What you expected to happen:

packageVerificationCode with valid values or omitted

How to reproduce it (as minimally and precisely as possible):

bom generate --format json -i busybox > bom.spdx.json

Anything else we need to know?:

Environment:

  • Cloud provider or hardware configuration:
  • OS (e.g: cat /etc/os-release):
  • Kernel (e.g. uname -a):
  • Others:
    bom.spdx.json.txt