search

anthonyharrison / lib4sbom

Library to ingest and generate SBOMs
Apache License 2.0
14 stars 10 forks source link

Conversion of cdx json sbom to spdx json sbom file misses download location and license information #27

Open angelwn opened 5 months ago

angelwn commented 5 months ago

The license information and download location of the conversion from cdx.json to spdx.json misses the value.

`from lib4sbom.parser import SBOMParser from lib4sbom.generator import SBOMGenerator from lib4sbom.data.document import SBOMDocument

test_parser = SBOMParser() test_parser.parse_file("gl-sbom-conan-conan.cdx.json")`

One example package in gl-sbom-conan-conan.cdx.json: { "name": "openssl", "version": "3.1.3", "purl": "pkg:conan/openssl@3.1.3", "type": "library", "bom-ref": "pkg:conan/openssl@3.1.3", "licenses": [ { "license": { "id": "Apache-2.0" } } ], "URL": "https://gitlab.com/test/libraries/open-source-libraries/-/tree/main/packages/openssl", "description": "A toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols", "copyrightText": "", "downloadLocation": "['https://www.openssl.org/source/openssl-3.1.3.tar.gz', 'https://github.com/openssl/openssl/releases/download/openssl-3.1.3/openssl-3.1.3.tar.gz']", "hashes": [ { "alg": "SHA-256", "content": "f0316a2ebd89e7f2352976445458689f804755958788c466692fb2a188b2eacf6" } ], "patch_file": "[{'patch_file': 'patches/3.1.1-fix-qcc-compilation.patch', 'base_path': ''}]" },

When converted to gl-sbom-conan-conan.spdx.json, the downloadLocation and licenseConcluded got NOASSERTION instead of the actual value. { "SPDXID": "SPDXRef-Package-46-openssl", "name": "openssl", "versionInfo": "3.1.3", "primaryPackagePurpose": "LIBRARY", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "checksums": [ { "algorithm": "SHA256", "checkumValue": "f0316a2ebd89e7f2352976445458689f804755958788c466692fb2a188b2eacf6" } ], "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "description": "A toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:conan/openssl@3.1.3" } ] },

anthonyharrison commented 5 months ago

@angelwn Can you provide the full SBOM to see the full context as some of the elements don't seem to be correct according to the CycloneDX specification?