Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] SBOM generation for SPDX generates invalid format for licenses - Invalid type. Expected: string, given: object #6966

Closed
2 tasks done
jamietanna opened this issue Nov 5, 2023 · 2 comments · Fixed by #6969
Closed
2 tasks done

[BUG] SBOM generation for SPDX generates invalid format for licenses - Invalid type. Expected: string, given: object #6966

jamietanna opened this issue Nov 5, 2023 · 2 comments · Fixed by #6969
Assignees
@bdehamer
Labels
Bug thing that needs fixing Needs Triage needs review for next steps Release 10.x

Comments

@jamietanna
Copy link
Contributor

jamietanna commented Nov 5, 2023
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

The generated SPDX SBOM cannot be parsed by tools, as it generates incorrectly structured JSON.

Expected Behavior

An SPDX v2.3 SBOM generated from a repository can be parsed correctly.

Steps To Reproduce

  1. Clone https://gitlab.com/tanna.dev/renovate-graph
  2. Run npm sbom --sbom-format spdx > spdx.json
  3. Run through an SPDX validator i.e. go run github.com/CycloneDX/sbom-utility@latest validate --input-file spdx.json

renovate-graph.spdx.json

Environment

  • npm: 10.2.3
  • Node.js: v18.17.1
  • OS Name: Linux
  • System Model Name:
  • npm config:
; "user" config from /home/jamie/.npmrc

//registry.npmjs.org/:_authToken = (protected) 

; node bin location = /usr/bin/node
; node version = v18.17.1
; npm local prefix = /home/jamie/workspaces/renovate-graph
; npm version = 10.2.3
; cwd = /home/jamie/workspaces/renovate-graph
; HOME = /home/jamie
; Run `npm config ls -l` to show all defaults.
@jamietanna jamietanna added Bug thing that needs fixing Needs Triage needs review for next steps Release 10.x labels Nov 5, 2023
@jamietanna jamietanna changed the title [BUG] SBOM generation for SPDX generates invalid format - Invalid type. Expected: string, given: object [BUG] SBOM generation for SPDX generates invalid format for licenses - Invalid type. Expected: string, given: object Nov 5, 2023
@jamietanna
Copy link
Contributor Author

Relevant JSON schema for the licenseDeclared property

@jamietanna jamietanna mentioned this issue Nov 6, 2023
Merged
jamietanna added a commit to jamietanna/cli-1 that referenced this issue Nov 6, 2023
@jamietanna
Document current license SPDX behaviour
002be85 
As a step towards resolving npm#6966, we should document how SPDX SBOM
generation works with a single string license or license expression.
jamietanna added a commit to jamietanna/cli-1 that referenced this issue Nov 6, 2023
@jamietanna
Correctly handle license objects in SBOM generation
bd12035 
As a means to resolve npm#6966, we can tweak the way we handle licenses,
where receiving a license object, instead of license string, results in
a malformed SPDX JSON SBOM.

While working on this, it was noted that CycloneDX also needed to be
amended, as it was omitting any license objects.

Closes npm#6966.
@jamietanna
Copy link
Contributor Author

I've raised #6969 which should resolve this 🤞

jamietanna added a commit to jamietanna/cli-1 that referenced this issue Nov 6, 2023
@jamietanna
Correctly handle license objects in SBOM generation
e2134d5 
As a means to resolve npm#6966, we can tweak the way we handle licenses,
where receiving a license object, instead of license string, results in
a malformed SPDX JSON SBOM.

While working on this, it was noted that CycloneDX also needed to be
amended, as it was omitting any license objects.

Closes npm#6966.
jamietanna added a commit to jamietanna/cli-1 that referenced this issue Nov 6, 2023
@jamietanna
Correctly handle license objects in SBOM generation
0d1d79f 
As a means to resolve npm#6966, we can tweak the way we handle licenses,
where receiving a license object, instead of license string, results in
a malformed SPDX JSON SBOM.

While working on this, it was noted that CycloneDX also needed to be
amended, as it was omitting any license objects.

Closes npm#6966.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bdehamer bdehamer

Labels
Bug thing that needs fixing Needs Triage needs review for next steps Release 10.x
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: correctly handle object licenses in SBOM generation jamietanna/cli-1
2 participants
@bdehamer @jamietanna