25 total packages
0 total files
96% have licenses.
100% have package digest.
100% have package versions.
0% have purls.
0% have CPEs.
0% have file digest.
Spec valid? true
Has creation info? false
==
Spec Compliance: 25/25
Package ID: 0/20 (0% have purls and 0% have CPEs)
Package Versions: 20/20
Package Licenses: 19/20
Creation Info: 3/15 (The tool used to create the sbom does not have a version)
Total points: 67/100 or 67%
But the JSON output only returns part of the story:
$ sbom-scorecard score images/jenkins.spdx --outputFormat "json" | jq '.'
Guessed: spdx
{
"Compliance": {
"Ratio": 1,
"Reasoning": "",
"MaxPoints": 25
},
"PackageIdentification": {
"Ratio": 0,
"Reasoning": "0% have purls and 0% have CPEs",
"MaxPoints": 20
},
"PackageVersions": {
"Ratio": 1,
"Reasoning": "",
"MaxPoints": 20
},
"PackageLicenses": {
"Ratio": 0.96,
"Reasoning": "",
"MaxPoints": 20
},
"CreationInfo": {
"Ratio": 0.2,
"Reasoning": "The tool used to create the sbom does not have a version",
"MaxPoints": 15
},
"Total": {
"Ratio": 0.672,
"Reasoning": "",
"MaxPoints": 100
}
}
What should happen
The json output should contain all information from txt output.
jspeed-meyers
commented
1 year ago
What is happening
The full txt output looks like this:
But the JSON output only returns part of the story:
$ sbom-scorecard score images/jenkins.spdx --outputFormat "json" | jq '.'What should happen The json output should contain all information from txt output.