search

tern-tools / tern

Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
BSD 2-Clause "Simplified" License
967 stars 188 forks source link

spdxtagvalue report is missing a "document DESCRIBES container" relationship #1079

Closed rnjudge closed 3 years ago

rnjudge commented 3 years ago

Describe the bug A clear and concise description of what the bug is.

To Reproduce

  1. Generate an SPDX tag value report
  2. Search for "DESCRIBES" anywhere in the resulting document and notice that it does not exist.

Error in terminal According to the SPDX Spec, SPDX requires at least one relationship and that relationship is SBOM to artifact, implemented by using the "DESCRIBES" relationship when more than one package or set of files is present:

An SPDX document WildFly.spdx describes package ‘WildFly’. Note this is a logical relationship to help organize related items within an SPDX document that is mandatory if more than one package or set of files (not in a package) is present.

Expected behavior There should be a "DESCRIBES" relationship between the SPDXRef-DOCUMENT and the SPDXRef-ContainerImage in the tag value document. The SPDX JSON document contains this relationship.