SPDX JSON has external reference category of PACKAGE_MANAGER instead of PACKAGE-MANAGER #1236
Labels
bug
Something isn't working
Comments
|
Turns out this may be due to an inadvertent update in the JSON schema, see this. |
|
We'll keep an eye on where it goes on that issue and what they decide. Great find thanks for the issue @ddillard! Is this currently throwing any errors of compatibility on your end with this inadvertent update? |
|
No, this isn't causing me any issues the moment. I was just doing some testing and noticed the discrepancy. If the proposed fix is implemented no changes will be required in syft, though I do believe grype might need a minor update. |
|
Both are going to be supported so no issue for SBOM generation. |
Repository owner
moved this from Parking Lot (Comments or Progress)
to Done
in OSS
Oct 5, 2022
This was referenced Oct 17, 2022
This was referenced Oct 31, 2022
This was referenced Nov 7, 2022
|
Just a note: there was a request to undo this change: #1596 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened:
Generated an SBOM in SPDX JSON format and took a look at the output and noticed it has external reference category of "PACKAGE_MANAGER".
What you expected to happen:
Per the SPDX JSON schema the value should be "PACKAGE-MANAGER", i.e. the separator should be a hyphen, not an underscore.
How to reproduce it (as minimally and precisely as possible):
Just run syft against a container and generate an SBOM in SPDX JSON format.
Anything else we need to know?:
Don't think so.
Environment:
Output of
syft version:0.58.0
OS (e.g:
cat /etc/os-releaseor similar):Ubuntu 10.04.6 LTS
The text was updated successfully, but these errors were encountered: