Closed KAWAHARA-souta closed 9 months ago
同じバージョンのshim-x64パッケージだが,(おそらく)singedなものとunsignedなものについて作成したSBOM
こっちはnameにepoch:0が入っている
{ "SPDXID": "SPDXRef-DOCUMENT", "creationInfo": { "created": "2024-02-13T18:58:03Z", "creators": [ "Organization: AlmaLinux OS Foundation (cloud-infra@almalinux.org)", "Tool: AlmaLinux Build System 0.1", "Tool: alma-sbom 0.0.2", "Tool: Immudb Wrapper 0.1.1", "Tool: spdx-tools 0.8" ] }, "dataLicense": "CC0-1.0", "name": "shim-x64-0:15.6-1.el9.alma.1", <--- ココ "packages": [ { "SPDXID": "SPDXRef-0", "annotations": [ { "annotationDate": "2024-02-13T18:58:03Z", "annotationType": "OTHER", "annotator": "Tool: alma-sbom 0.0.2", "comment": "almalinux:package:epoch=0" }, { "annotationDate": "2024-02-13T18:58:03Z", "annotationType": "OTHER", "annotator": "Tool: alma-sbom 0.0.2", "comment": "almalinux:sbom:immudbHash=346e6631cd269b7a1b38e08247123ab93ea5c8f7474f35e4c2775caee7f0dc14" },
こっちはnameにepoch:0が入っていない.
{ "SPDXID": "SPDXRef-DOCUMENT", "creationInfo": { "created": "2024-02-13T18:58:43Z", "creators": [ "Organization: AlmaLinux OS Foundation (cloud-infra@almalinux.org)", "Tool: AlmaLinux Build System 0.1", "Tool: alma-sbom 0.0.2", "Tool: Immudb Wrapper 0.1.1", "Tool: spdx-tools 0.8" ] }, "dataLicense": "CC0-1.0", "name": "shim-x64-15.6-1.el9.alma.1", <--- ココ "spdxVersion": "SPDX-2.3", "documentNamespace": "https://security.almalinux.org/spdx-shim-x64-15.6-1.el9.alma.1-6851b98c-5b4c-417f-85fa-11288340fe28", "packages": [ { "SPDXID": "SPDXRef-0", "annotations": [ { "annotationDate": "2024-02-13T18:58:43Z", "annotationType": "OTHER", "annotator": "Tool: alma-sbom 0.0.2", "comment": "almalinux:package:epoch=0" }, "packages": [ { "SPDXID": "SPDXRef-0", "annotations": [ { "annotationDate": "2024-02-13T18:58:43Z", "annotationType": "OTHER", "annotator": "Tool: alma-sbom 0.0.2", "comment": "almalinux:package:epoch=0" }, { "annotationDate": "2024-02-13T18:58:43Z", "annotationType": "OTHER", "annotator": "Tool: alma-sbom 0.0.2", "comment": "almalinux:sbom:immudbHash=dcf3d966f0002c560c1a8a6b2e7fd709291deb82bbec03bced38f01fe401813a" },
この差分は問題なしと判断してクローズ. 詳細は内部メモに.
同じバージョンのshim-x64パッケージだが,(おそらく)singedなものとunsignedなものについて作成したSBOM
こっちはnameにepoch:0が入っている
こっちはnameにepoch:0が入っていない.