Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
Describe the bug
go package names have slashes in them: github.com/PuerkitoBio/purell. Since Tern uses the package name and version to create a SPDXIDSPDXRef for packages, a go ref looks something like this: SPDXRef-github.com/PuerkitoBio/purell-v1.1.1. This does not validate with SPDX, however, and gives the error:
Package at line 724 invalid: Invalid SPDX ID: SPDXRef-github.com/PuerkitoBio/purell-v1.1.1. Must match the pattern SPDXRef-([0-9a-zA-Z\.\-\+]+)$ in github.com/PuerkitoBio/purell in github.com/PuerkitoBio/purell
For golang packages, need to remove slashes from SPDXRefs.
Describe the bug go package names have slashes in them:
github.com/PuerkitoBio/purell. Since Tern uses the package name and version to create aSPDXIDSPDXReffor packages, a go ref looks something like this:SPDXRef-github.com/PuerkitoBio/purell-v1.1.1. This does not validate with SPDX, however, and gives the error:Package at line 724 invalid: Invalid SPDX ID: SPDXRef-github.com/PuerkitoBio/purell-v1.1.1. Must match the pattern SPDXRef-([0-9a-zA-Z\.\-\+]+)$ in github.com/PuerkitoBio/purell in github.com/PuerkitoBio/purellFor golang packages, need to remove slashes from SPDXRefs.