search

sw360 / capycli

CaPyCLI - Python scripts for software license compliance automation with SW360
Other
12 stars 7 forks source link

"project createBom" doesn't handle multiple purls #36

Closed gernot-h closed 1 year ago

gernot-h commented 1 year ago

After fixing #26 in main, we still lack correct handling of multiple purls. CaPyCli silently takes the JSON-encoded string containing the array, so we get such a BOM:

    { 
      "type": "library",
      "bom-ref": "[\"pkg:deb/debian/libacl1@2.2.52-3\",\"pkg:deb/debian/acl@2.2.52-3?arch=source\"]",
      "name": "acl",
      "version": "2.2.52-3.debian",
      "purl": "[\"pkg:deb/debian/libacl1@2.2.52-3\",\"pkg:deb/debian/acl@2.2.52-3?arch=source\"]",

I also think there's no perfect solution as CycloneDX allows only one purl per component, but we should at least warn the user and probably make it easy for him to select the right purl, e.g. by adding them separated by space?

gernot-h commented 1 year ago

Added a possible implementation in #37.