Closed benmss closed 7 months ago
@benmss I will have a look. The metadata fields were updated whilst adding some features to libsbom 0.5 to support CycloneDX v1.5. It looks as if these have resulted in the issue..
The generated SBOM is valid according to the CycloneDX SBOM validator
Thanks @anthonyharrison. It is correct that the SBOM is "valid" according to the schema but unfortunately the verifier/consumer tools rely on references in the BOM file as described in this issue to identify dependencies. So, it would be great if this issue gets resolved.
When creating a cyclonedx sbom via
sbom4python
and therefore this library, themetadata -> component -> bom-ref
property is set toCDXRef-DOCUMENT
and this value is not present in any of thebom-ref
properties of the non-metadata components elsewhere in the sbom.For example with the sbom for the
radon
module created bysbom4python@0.10.0
andlibs4sbom@0.5.1
:(This was created with pip 23.3 and Python 3.11)
It seems this issue is the result of a somewhat recent change, as in an sbom created by
libs4sbom@0.4.3
theCDXRef-DOCUMENT
property value is present in the proper component as well.However, I would advocate for the metadata bom-ref and the related component to both contain something like
1-radon
rather thanCDXRef-DOCUMENT
.