search

CycloneDX / bom-examples

A repository with examples of CycloneDX BOMs (SBOM, SaaSBOM, OBOM, VEX, etc)
https://cyclonedx.org
Creative Commons Zero v1.0 Universal
158 stars 55 forks source link

Update SBOMs for proton-bridge #9

Closed nscuro closed 3 years ago

nscuro commented 3 years ago

As of cyclonedx-gomod v0.6.0, generated SBOMs include license information. I also added SBOMs for another version of proton-bridge to address #5.

stevespringett commented 3 years ago

Looks like the SBOMs are invalid. A license can be either a resolved SPDX license ID or an unresolved license name, but not both.

Refer to

https://cyclonedx.org/docs/1.2/#type_licenseType

https://cyclonedx.org/use-cases/#license-compliance

nscuro commented 3 years ago

Thanks for pointing that out @stevespringett. I created a fix and will update this PR once GitHub Actions is working again.

nscuro commented 3 years ago

SBOMs have been regenerated with v0.6.1 of cyclonedx-gomod, which includes a fix for the issue. All SBOMs have been validated using the CDX CLI.

stevespringett commented 3 years ago

Thanks @nscuro. Validated all four. Looks good and thanks for the PR.