anthonyharrison
commented
1 year ago @Molkree It looks as if the tool is working correctly given the data which it is being provided with.There appears to have been some regression with some of the updates to the modules.
I modified the handling of supplier names as there were some issues with the processing as I wasn't correctly handling the case where a supplier wasn't specified. There are three types of supplier - person, organiation and NONE and I wasn't handling the NONE case correctly.
Looking at aiosignal, there is no longer an author or email reported for version 1.3.1 - so NOASSERTION is a correct respsonse. idna (version 3.3), on the other hand did have but version 3.4 only has Author-email specified. Looks like there is a bit of improvemnt to be made to handle the case where author isn't specified but email is.
Regarding licence information, idna (version 3.4) no longer includes any license information. This is a regression from version 3.3 as you can see.
Name: idna Version: 3.3 Summary: Internationalized Domain Names in Applications (IDNA) Home-page: https://github.com/kjd/idna Author: Kim Davies Author-email: kim@cynosure.com.au License: BSD-3-Clause Location: /usr/lib/python3/dist-packages Requires: Required-by: email-validator
And version 3.4
Name: idna Version: 3.4 Summary: Internationalized Domain Names in Applications (IDNA) Home-page: Author: Author-email: Kim Davies kim@cynosure.com.au License: Location: /usr/local/lib/python3.10/dist-packages Requires: Required-by: email-validator
I have regenerated SBOM for cve-bin-tool and I see a couple of regressions.
The most obvious one is that whitespaces between words are now replaced with underscores:
Some
PackageSuppliers have gone missing but I guess it could be some real-life change? I don't know how you get this info. Example from aiosignal and idna:Some licences were lost. Example from idna: