anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
6.17k stars 567 forks source link

Invalid SPDX: missing copyright text #3346

Open vargenau opened 1 week ago

vargenau commented 1 week ago

What happened:

Generated SPDX is invalid, mandatory copyright text is missing

What you expected to happen:

SPDX should be valid

Steps to reproduce the issue:

syft docker:bitnami/mongodb:6.0.6-debian-11-r0 --scope all-layers -o spdx-tag-value@2.2 > mongodb-6.0.6-debian-11-r0.spdx

Anything else we need to know?:

Environment:

kzantow commented 1 day ago

Hey @vargenau -- would you mind posting the error you are getting? We seem to be having issues running the online validator on this SBOM. Thanks!

vargenau commented 1 day ago

Hello,

It's better to download and install locally the Java tools https://github.com/spdx/tools-java or the Python tools https://github.com/spdx/tools-python than using the online tools for big SPDX files.

This is the generated SBOM: mongodb-6.0.6-debian-11-r0.spdx.txt

Running

pyspdxtools -i mongodb-6.0.6-debian-11-r0.spdx

gives the following result: pyspdxtools.txt

Most errors are related to https://github.com/anchore/syft/issues/2093

But for this bug report you have:

copyright_text is mandatory in SPDX-2.2

The Java tools give: javatools.zip

kzantow commented 1 day ago

Thanks @vargenau. I do see the Copyright Text is a mandatory field in SPDX 2.2. We should default this to NOASSERTION, like we do for other required fields. I've added this to the backlog and always happy to review any pull requests!