Add purl information to SPDX

tern-tools / tern

Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.

BSD 2-Clause "Simplified" License

960 stars 188 forks source link

Add purl information to SPDX #1209

Closed ivanayov closed 1 year ago

ivanayov commented 1 year ago

This change adds purl data to all packages listed

Addresses #1206

Signed-off-by: Ivana Atanasova iyovcheva@vmware.com

ivanayov commented 1 year ago

Testing the failure of tern report -f spdxjson -i photon:3.0 -o spdx.json locally the -o flag doesn't generate any output. Same when building from the main branch. Seems like this fails in the CI as well.

Looks like not related to the PR changes, but probably a bug.

rnjudge commented 1 year ago

Finally getting around to testing this... The CI issue is related to SPDX document validation:

subprocess.CalledProcessError: Command 'tern report -f spdxjson -i photon:3.0 -o spdx.json && java -jar tools-java/target/tools-java-*-jar-with-dependencies.jar Verify spdx.json' returned non-zero exit status 1.

This error means that the SPDX JSON resulting from these changes is not validating properly with the changes.

ivanayov commented 1 year ago

Closing as it's addressed in a follow-up.