Invalid SPDX published for fatbom project

VexStore / fatbom

fatbom (Fat Bill Of Materials) is a tool which combines the SBOM generated by various tools into one fat SBOM. Thus leveraging each tool's strength.

MIT License

32 stars 0 forks source link

Open surendrapathak opened 1 year ago

surendrapathak commented 1 year ago

Name of the app fatbom

Describe the bug The merged sbom built with the project is invalid.

To Reproduce While applying quality checks on SBOMs , I found merged spdx to be invalid. A quick check against spdx validator shows:

Expected behavior Published sbom should be a valid SPDX document

Additional context SBOM: https://github.com/sbs2001/fatbom/releases/download/v0.0.1/semi_merged_bom.json

sbs2001 commented 1 year ago

@surendrapathak thanks ! Didn't knew about the tool, great work there. I'll fix the error in next release.

surendrapathak commented 1 year ago

Wow - thanks for a quick update :) Feel free to star sbomqs - we have a lot of work to do get the quality of sbom go up. We are tracking them all here : https://github.com/interlynk-io/sbomqs/discussions/39