When using Syft to produce an SPDX JSON document, it looks like it uses SPDXRef values in the list of relationships that don't map to any element in the SPDX document.
This in turn surfaces as a DEBUG-level log message when Syft is used (e.g. by Grype) to decode Syft's own SPDX documents.
What you expected to happen:
No strange looking debug message, and no SPDX SBOMs with these relationships with undefined references.
What happened:
When using Syft to produce an SPDX JSON document, it looks like it uses SPDXRef values in the list of
relationships
that don't map to any element in the SPDX document.This in turn surfaces as a DEBUG-level log message when Syft is used (e.g. by Grype) to decode Syft's own SPDX documents.
What you expected to happen:
No strange looking debug message, and no SPDX SBOMs with these relationships with undefined references.
Steps to reproduce the issue:
Create an SPDX JSON SBOM.
Notice that this document contains many relationships that look like this:
Note the odd-looking
relatedSpdxElement
values, likeSPDXRef-53502b080a8d553b
.Run Grype with debug logging, using this SBOM as input. (Optionally use
grep
to count instances of the DEBUG message in question.)Anything else we need to know?:
cc: @kzantow
Environment:
syft version
:cat /etc/os-release
or similar):macOS Sonoma