Open surendrapathak opened 1 year ago
This also affects https://github.com/fluxcd/flux2
Thanks for the report @surendrapathak
I noticed this repeated at -
All with the same root issue of checksums. So, one sweep at syft fixes all of them. At Interlynk, we monitor similar issues here - https://github.com/interlynk-io/sbomqs/discussions/39 to help improve the ecosystem.
Describe the bug
While applying quality checks on SBOMs , I found flagger's released spdx fails to adhere to SPDX2.3 spec. It requires File attribute to have at least one SHA1 that syft fails to generate.
Following issue has been filed at syft : https://github.com/anchore/syft/issues/1616. This is an FYI for flagger.
To Reproduce
N/A
Expected behavior
A valid SPDX.
Additional context