Invalid SPDX generated with the release

[surendrapathak]

Describe the bug

While applying quality checks on SBOMs , I found flagger's released spdx fails to adhere to SPDX2.3 spec. It requires File attribute to have at least one SHA1 that syft fails to generate.

Following issue has been filed at syft : https://github.com/anchore/syft/issues/1616. This is an FYI for flagger.

To Reproduce

N/A

Expected behavior

A valid SPDX.

Additional context

• Flagger version:
• Kubernetes version:
• Service Mesh provider:
• Ingress provider:

[stefanprodan]

This also affects https://github.com/fluxcd/flux2

Thanks for the report @surendrapathak

[surendrapathak]

I noticed this repeated at -

• https://github.com/fluxcd/helm-controller/
• https://github.com/fluxcd/image-automation-controller/
• https://github.com/fluxcd/image-reflector-controller/
• https://github.com/fluxcd/source-controller/
• https://github.com/fluxcd/notification-controller/
• https://github.com/fluxcd/flux2/
• https://github.com/fluxcd/flagger/

All with the same root issue of checksums. So, one sweep at syft fixes all of them. At Interlynk, we monitor similar issues here - https://github.com/interlynk-io/sbomqs/discussions/39 to help improve the ecosystem.