Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SPDX][TV] SBOM value format is incorrect for PackageComment #284

Open
surendrapathak opened this issue Feb 28, 2023 · 7 comments
Open

[SPDX][TV] SBOM value format is incorrect for PackageComment #284

surendrapathak opened this issue Feb 28, 2023 · 7 comments
Labels
bug Something isn't working

Comments

@surendrapathak
Copy link

Summary

SPDX value format is missing or incorrect for PackageComment

PackageComment: NOASSERTION

Background

  1. Download sbom-spdx-generator version v0.0.50
  2. Clone repository https://github.com/interlynk-io/sbomqs
  3. Run ./sbom-spdx-generator -o /out/spdx
  4. Observe the following error:

SPDX value format is missing or incorrect for PackageComment

Expected behavior

PackageComment should be delimited by <text>..</text>

Screenshots

If applicable, add screenshots to help explain the problem.

Repository

Which repository causes this error?

Additional Context

Optional - add any other context about the problem here.

Acceptance Criteria

The "done" criteria when this feature or problem is resolved. Such as:

  1. Unit Tests added and running in CI
  2. Functional Tests updated to cover feature, if applicable
  3. Demonstrate the set of capabilities to the product team

References

Limited to SPDX.
Finder: sbomqs
@surendrapathak surendrapathak added the bug Something isn't working label Feb 28, 2023
@prakrit55
Copy link

hey @surendrapathak how to download the sbom-spdx-generator?

@surendrapathak
Copy link
Author

It can be downloaded from: https://spdx.github.io/spdx-spec/v2.2.2/package-information/#7201-description

Generated sbom is attached:
bom-go-mod.spdx.txt

and reference to the spec is here: https://spdx.github.io/spdx-spec/v2.2.2/package-information/#7201-description

@prakrit55
Copy link

I couldnt figure out the file to be downloaded from https://spdx.github.io/spdx-spec/v2.2.2/package-information/#7201-description or there is no file to be downloaded

@surendrapathak
Copy link
Author

My mistake the actual instructions should be :

  1. Clone the repository from : https://github.com/interlynk-io/sbomqs
  2. cd sbomqs
  3. Download the platform specific sbom-spdx-generator from this link: https://github.com/opensbom-generator/spdx-sbom-generator#installation
  4. Run ./spdx-sbom-generator -o .
  5. Inspect generated sbom (also attached to the defect here: https://github.com/opensbom-generator/spdx-sbom-generator/files/10893104/bom-go-mod.spdx.txt)

@nishakm
Copy link
Collaborator

nishakm commented Mar 6, 2023

@surendrapathak We don't check for SBOM quality. In the SPDX 2.2 spec, PackageComment is optional. However, this is a valid bug. If there are no comments then there should be no tag. @prakrit55 Are you interested in fixing this bug?

@prakrit55
Copy link

Hey @nishakm I will be happy to get it fixed.

@nishakm
Copy link
Collaborator

nishakm commented Mar 6, 2023

@prakrit55 Cool! At this time, the fastest fix is to not create a PackageComment line in either the tag-value or json format.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nishakm @surendrapathak @prakrit55