Open Auston-Zhang opened 1 year ago
Hi @Auston-Zhang, thanks for the suggestion. We agree that it would be nice to add the downloadlocation field to other ecosystems where available. We will go ahead and put this in our backlog. If you are interested in implementing this for other ecosystems, please let us know and we can help get you started.
What would you like to be added:
Add code for 'downloadlocation' for other ecosystems.
Why is this needed: Right now, only NPM(JavaScript) and Apk(Alpine) are supported for download location. Source code: https://github.com/anchore/syft/blob/007b034ee38063fd5b41c82741e7561448dc817d/syft/formats/common/spdxhelpers/download_location.go#L17
It would be really helpful if we could add code for other ecosystems (like Python and Java). So the generated SBOM (image-based) for Python packages can have the download location values.
Additional context:
Steps to reproduce (we are using the official node docker image https://hub.docker.com/_/node/ ):
syft node -o spdx-json > node_image.json
{ "name": "adduser", "SPDXID": "SPDXRef-Package-deb-adduser-d92ced51b4a5cd89", "versionInfo": "3.134", "supplier": "Person: Debian Adduser Developers \u003cadduser@packages.debian.org\u003e", "originator": "Person: Debian Adduser Developers \u003cadduser@packages.debian.org\u003e", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from DPKG DB: /usr/share/doc/adduser/copyright, /var/lib/dpkg/status", "licenseConcluded": "NOASSERTION", "licenseDeclared": "GPL-2.0-only AND GPL-2.0-or-later", "copyrightText": "NOASSERTION",