Closed surendrapathak closed 1 year ago
While applying quality checks on SBOMs, I found bom failing to adhere to the strict 2.2 spec for json format
bom generate --format json -i busybox > bom.spdx.json
results in the attached file with the invalid field -
"packageVerificationCode": { "packageVerificationCodeValue": "" }
However, this is a required field with a non-empty value when filesAnalyzed is true and for the attached SBOM, the field should be skipped (filesAnalyzed: false)
filesAnalyzed
filesAnalyzed: false
https://spdx.github.io/spdx-spec/v2.2.2/package-information/#79-package-verification-code-field
This causes other tools that rely on strict checks (such as https://github.com/spdx/tools-[python/blob/72780a48d830b29c5d8c85c27e9ddbf39c22b6f6/spdx/utils.py#L37-L39](https://github.com/spdx/tools-python/blob/f934ae27cc76c20f8e701bf2503e3ea521a9bb88/spdx/parsers/jsonyamlxml.py#L1295)) to barf.
packageVerificationCode with valid values or omitted
cat /etc/os-release
uname -a
What happened:
While applying quality checks on SBOMs, I found bom failing to adhere to the strict 2.2 spec for json format
results in the attached file with the invalid field -
However, this is a required field with a non-empty value when
filesAnalyzedis true and for the attached SBOM, the field should be skipped (filesAnalyzed: false)https://spdx.github.io/spdx-spec/v2.2.2/package-information/#79-package-verification-code-field
This causes other tools that rely on strict checks (such as https://github.com/spdx/tools-[python/blob/72780a48d830b29c5d8c85c27e9ddbf39c22b6f6/spdx/utils.py#L37-L39](https://github.com/spdx/tools-python/blob/f934ae27cc76c20f8e701bf2503e3ea521a9bb88/spdx/parsers/jsonyamlxml.py#L1295)) to barf.
What you expected to happen:
packageVerificationCode with valid values or omitted
How to reproduce it (as minimally and precisely as possible):
bom generate --format json -i busybox > bom.spdx.jsonAnything else we need to know?:
Environment:
cat /etc/os-release):uname -a):