[Potential Bug] cyclonedx logic on package versions uses package digest

eBay / sbom-scorecard

Generate a score for your sbom to understand if it will actually be useful.

Apache License 2.0

221 stars 24 forks source link

[Potential Bug] cyclonedx logic on package versions uses package digest #11

Closed jspeed-meyers closed 1 year ago

jspeed-meyers commented 1 year ago

I noticed that the PackageVersions function uses package digests (hasPackDigest). Is this intended?

https://github.com/eBay/sbom-scorecard/blob/712e7661d06c61309c1794e761f3faf095a69de6/pkg/cdx/cdx_report.go#L66-L70

The underlying Component struct has a Version field. I had expected the PakageVersions function to use the Version field. I'm glad to put in a PR to fix this if this is not the intended behavior.

justinabrahms commented 1 year ago

So the intent was: "are packages identifiable by a version?" Ideally, we'd use a version field, but I'll admit that there's currently some ambiguity in the package around digest versus versioning. I welcome your change.