Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SPDX Tag-Value conversion not handling files directly set on packages #2013

Closed
kzantow opened this issue Aug 10, 2023 · 0 comments · Fixed by #2014
Closed

SPDX Tag-Value conversion not handling files directly set on packages #2013

kzantow opened this issue Aug 10, 2023 · 0 comments · Fixed by #2014
Assignees
@kzantow
Labels
bug Something isn't working

Comments

@kzantow
Copy link
Contributor

kzantow commented Aug 10, 2023

What happened:
When parsing SPDX tag-value, Syft does not read files if they are directly set on packages.

What you expected to happen:
Syft reads files from all locations the SPDX tools-golang places them in the model.

Steps to reproduce the issue:
Convert this SPDX document to another format:

SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: Some-SBOM
DocumentNamespace: https://example.org/some/namespace
Creator: Organization: Some-organization
Creator: Tool: Some-tool Version: 1.0
Created: 2021-12-29T17:02:21Z
PackageName: Some-package
PackageVersion: 5.1.2
SPDXID: SPDXRef-Package-43c51b08-cc7e-406d-8ad9-34aa292d1157
PackageSupplier: Organization: Some-organization
PackageDownloadLocation: https://example.org/download/location
FilesAnalyzed: true
PackageLicenseInfoFromFiles: NOASSERTION
PackageVerificationCode: 23460C5559C8D4DE3F6504E0E84E844CAC8B1D95
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageChecksum: SHA1: 23460C5559C8D4DE3F6504E0E84E844CAC8B1D95
FileName: Some-file-name
SPDXID: SPDXRef-99545d55-933d-4e08-9eb5-9d826111cb79
FileContributor: Some-file-contributor
FileType: BINARY
FileChecksum: SHA1: 23460C5559C8D4DE3F6504E0E84E844CAC8B1D95
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NOASSERTION
FileCopyrightText: NOASSERTION

Environment:

  • Output of syft version:
    Application: syft
    Version: 0.86.1
    JsonSchemaVersion: 10.0.0
    BuildDate: 2023-07-31T17:29:18Z
    GitCommit: e2f7bef
    GitDescription: [not provided]
    Platform: darwin/amd64
    GoVersion: go1.20.6
    Compiler: gc
@kzantow kzantow added the bug Something isn't working label Aug 10, 2023
@kzantow kzantow self-assigned this Aug 10, 2023
@kzantow kzantow mentioned this issue Aug 10, 2023
Merged
This was referenced Aug 18, 2023
Open
Closed
Closed
Closed
This was referenced Aug 28, 2023
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kzantow kzantow

Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: read direct package files when decoding SPDX tag-value anchore/syft
1 participant
@kzantow