search

sonatype-nexus-community / jake

Check your Python environments for vulnerable Open Source packages with OSS Index or Sonatype Nexus Lifecycle.
https://jake.readthedocs.io/
Apache License 2.0
114 stars 24 forks source link

invalid version in Jake generated BOM #43

Closed hboutemy closed 3 years ago

hboutemy commented 4 years ago

Describe the bug when using jake bom, versions in generated bom end in ?extension=tar.gz

To Reproduce

$ jake sbom | xmllint --format -
<?xml version="1.0"?>
<bom xmlns:v="http://cyclonedx.org/schema/ext/vulnerability/1.0" xmlns="http://cyclonedx.org/schema/bom/1.1" version="1">
  <components>
    <component type="library" bom-ref="pkg:pypi/yaspin@0.16.0?extension=tar.gz">
      <name>yaspin</name>
      <version>0.16.0?extension=tar.gz</version>
      <purl>pkg:pypi/yaspin@0.16.0?extension=tar.gz</purl>
    </component>
...

Expected behavior just the version in the version tag, yet to define if bom-ref attribute should have the extension parameter or not

$ jake sbom | xmllint --format -
<?xml version="1.0"?>
<bom xmlns:v="http://cyclonedx.org/schema/ext/vulnerability/1.0" xmlns="http://cyclonedx.org/schema/bom/1.1" version="1">
  <components>
    <component type="library" bom-ref="pkg:pypi/yaspin@0.16.0?extension=tar.gz">
      <name>yaspin</name>
      <version>0.16.0</version>
      <purl>pkg:pypi/yaspin@0.16.0?extension=tar.gz</purl>
    </component>
...