Open kl-sinclair opened 3 months ago
Thanks for the issue. I've reproduced this on Syft 1.9.0.
Just to add some supporting evidence for this issue: https://spdx.github.io/spdx-spec/v2.3/package-information/#724-primary-package-purpose-field
The package information in v2.3 allows for formats that identify the primary package purpose:
APPLICATION | FRAMEWORK | LIBRARY | CONTAINER |
OPERATING-SYSTEM | DEVICE | FIRMWARE | SOURCE |
ARCHIVE | FILE | INSTALL | OTHER |
Operating System is included in this enum so including the discovered operating system as a package in spdx would be the correct spot. Syft has data for this in it's underlying json
format. It's just a matter of creating the package during the format serialization.
What happened:
When generating an SPDX for container images like Redis or Ubuntu, only package information is included, but OS information, such as Alpine or Ubuntu, is not included in the Package Information section.
Redis: https://gist.github.com/kl-sinclair/eec66cc2a577a4c702521b20217a1bac
Ubuntu: https://gist.github.com/kl-sinclair/dfab9b10e93be204d8d76b69e2662333
What you expected to happen:
OS information should be included as a package. For example, as follows:
or
Steps to reproduce the issue:
Anything else we need to know?:
With CycloneDX, OS information is included as a component:
syft-redis.cdx.json:
syft-ubuntu.cdx.json:
Environment:
syft version
:cat /etc/os-release
or similar): macOS Ventura 13.3