Open angelwn opened 5 months ago
The license information and download location of the conversion from cdx.json to spdx.json misses the value.
`from lib4sbom.parser import SBOMParser from lib4sbom.generator import SBOMGenerator from lib4sbom.data.document import SBOMDocument
test_parser = SBOMParser() test_parser.parse_file("gl-sbom-conan-conan.cdx.json")`
One example package in gl-sbom-conan-conan.cdx.json: { "name": "openssl", "version": "3.1.3", "purl": "pkg:conan/openssl@3.1.3", "type": "library", "bom-ref": "pkg:conan/openssl@3.1.3", "licenses": [ { "license": { "id": "Apache-2.0" } } ], "URL": "https://gitlab.com/test/libraries/open-source-libraries/-/tree/main/packages/openssl", "description": "A toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols", "copyrightText": "", "downloadLocation": "['https://www.openssl.org/source/openssl-3.1.3.tar.gz', 'https://github.com/openssl/openssl/releases/download/openssl-3.1.3/openssl-3.1.3.tar.gz']", "hashes": [ { "alg": "SHA-256", "content": "f0316a2ebd89e7f2352976445458689f804755958788c466692fb2a188b2eacf6" } ], "patch_file": "[{'patch_file': 'patches/3.1.1-fix-qcc-compilation.patch', 'base_path': ''}]" },
When converted to gl-sbom-conan-conan.spdx.json, the downloadLocation and licenseConcluded got NOASSERTION instead of the actual value. { "SPDXID": "SPDXRef-Package-46-openssl", "name": "openssl", "versionInfo": "3.1.3", "primaryPackagePurpose": "LIBRARY", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "checksums": [ { "algorithm": "SHA256", "checkumValue": "f0316a2ebd89e7f2352976445458689f804755958788c466692fb2a188b2eacf6" } ], "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "description": "A toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:conan/openssl@3.1.3" } ] },
@angelwn Can you provide the full SBOM to see the full context as some of the elements don't seem to be correct according to the CycloneDX specification?
The license information and download location of the conversion from cdx.json to spdx.json misses the value.
`from lib4sbom.parser import SBOMParser from lib4sbom.generator import SBOMGenerator from lib4sbom.data.document import SBOMDocument
test_parser = SBOMParser() test_parser.parse_file("gl-sbom-conan-conan.cdx.json")`
One example package in gl-sbom-conan-conan.cdx.json: { "name": "openssl", "version": "3.1.3", "purl": "pkg:conan/openssl@3.1.3", "type": "library", "bom-ref": "pkg:conan/openssl@3.1.3", "licenses": [ { "license": { "id": "Apache-2.0" } } ], "URL": "https://gitlab.com/test/libraries/open-source-libraries/-/tree/main/packages/openssl", "description": "A toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols", "copyrightText": "", "downloadLocation": "['https://www.openssl.org/source/openssl-3.1.3.tar.gz', 'https://github.com/openssl/openssl/releases/download/openssl-3.1.3/openssl-3.1.3.tar.gz']", "hashes": [ { "alg": "SHA-256", "content": "f0316a2ebd89e7f2352976445458689f804755958788c466692fb2a188b2eacf6" } ], "patch_file": "[{'patch_file': 'patches/3.1.1-fix-qcc-compilation.patch', 'base_path': ''}]" },
When converted to gl-sbom-conan-conan.spdx.json, the downloadLocation and licenseConcluded got NOASSERTION instead of the actual value. { "SPDXID": "SPDXRef-Package-46-openssl", "name": "openssl", "versionInfo": "3.1.3", "primaryPackagePurpose": "LIBRARY", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "checksums": [ { "algorithm": "SHA256", "checkumValue": "f0316a2ebd89e7f2352976445458689f804755958788c466692fb2a188b2eacf6" } ], "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "description": "A toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:conan/openssl@3.1.3" } ] },