search

tern-tools / tern

Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
BSD 2-Clause "Simplified" License
967 stars 188 forks source link

[SPDX][JSON] SBOM value format is incorrect for licenseDeclared #1224

Closed surendrapathak closed 1 year ago

surendrapathak commented 1 year ago

Summary

SPDX value format is missing or incorrect for licenseDeclared on line number 1274 in the linked SBOM.

"licenseDeclared": "LGPL-2.0+, GPL-2.0+, LGPL-2.1+",

Background

  1. Download tern version 2.11.0
  2. Generate sbom with docker run ternd report -f spdxjson -i ubuntu:latest > output.json for ubuntu tag latest
  3. Observe the following error:

SPDX value format is missing or incorrect for licenseDeclared

Expected behavior

licenseDeclared should be a valid SPDX string. Rule: The exact syntax of license expressions is described below in ABNF.

Error: licenseDeclared contains ','

Screenshots

If applicable, add screenshots to help explain the problem.

Repository

Which repository causes this error?

Additional Context

Optional - add any other context about the problem here.

Acceptance Criteria

The "done" criteria when this feature or problem is resolved. Such as:

  1. Unit Tests added and running in CI
  2. Functional Tests updated to cover feature, if applicable
  3. Demonstrate the set of capabilities to the product team

References

output_fixed.json.txt

Limited to SPDX. Finder: sbomqs SBOM: sbomlc-ubuntu-latest

rnjudge commented 1 year ago

This is a duplicate of https://github.com/tern-tools/tern/issues/1223.