Open edonadei opened 10 months ago
Hey @edonadei, thanks for the report. I think we understand the problem well enough so we'll put it in our backlog for consideration. There is a caveat that if we are unable to determine the version at all, we will probably still have to create non-NTIA-compliant output because we just don't have any version to reference.
Implementation notes: we might need to implement a "replace" handler to figure out how to do the right thing in these cases.
What happened: In the case of scanning a Go project with a go.mod file with a replace statement, e.g. here. It supposed to recursively resolve to this file.
But it generates a sbom package without versionInfo. (Non-NTIA Compliant)
What you expected to happen:
The package refered here is already added
So I would expect that package "../" to not exist at all.
Steps to reproduce the issue:
Anything else we need to know?: I used this checker to verify if the SBOM is compliant https://github.com/spdx/ntia-conformance-checker
Environment:
syft version
: v.0.77.0cat /etc/os-release
or similar): Ubuntu