Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create SBOM file will have suffix in modules name #1275

Closed
106062 opened this issue Oct 20, 2022 · 1 comment
Closed

Create SBOM file will have suffix in modules name #1275

106062 opened this issue Oct 20, 2022 · 1 comment
Labels
bug Something isn't working

Comments

@106062
Copy link

106062 commented Oct 20, 2022

Please provide a set of steps on how to reproduce the issue

syft packages file:path/to/yourproject/file -o cyclonedx-json

syft packages file:path/to/yourproject/file -o cyclonedx-xml

What happened:
image
image

modules name have suffix :*:*:*:*:*:*:*
What you expected to happen:

      "cpe": "cpe:2.3:a:yallist:yallist:4.0.0",
      "purl": "pkg:npm/[email protected]",
      "properties": [
        {
          "name": "syft:package:foundBy",
          "value": "javascript-lock-cataloger"
        },
        {
          "name": "syft:package:language",
          "value": "javascript"
        },
        {
          "name": "syft:package:type",
          "value": "npm"
        },
        {
          "name": "syft:cpe23",
          "value": "cpe:2.3:a:*:yallist:4.0.0"
        },
        {
          "name": "syft:location:0:path",
          "value": "package-lock.json"
        }
      ]
<component bom-ref="pkg:npm/[email protected]?package-id=20995d1e50ccb27a" type="library">
      <name>yallist</name>
      <version>4.0.0</version>
      <licenses>
        <license>
          <id>ISC</id>
        </license>
      </licenses>
      <cpe>cpe:2.3:a:yallist:yallist:4.0.0</cpe>
      <purl>pkg:npm/[email protected]</purl>
      <properties>
        <property name="syft:package:foundBy">javascript-lock-cataloger</property>
        <property name="syft:package:language">javascript</property>
        <property name="syft:package:type">npm</property>
        <property name="syft:cpe23">cpe:2.3:a:*:yallist:4.0.0</property>
        <property name="syft:location:0:path">package-lock.json</property>
      </properties>
    </component>

Anything else we need to know?:

Environment:

  • Output of syft version: v0.59.0
  • OS (e.g: cat /etc/os-release or similar): VERSION="20.04.4 LTS (Focal Fossa)"
@106062 106062 added the bug Something isn't working label Oct 20, 2022
@106062 106062 changed the title Create SBOM file will have suffix in modules Create SBOM file will have suffix in modules name Oct 20, 2022
@spiffcs spiffcs added this to OSS Oct 20, 2022
@kzantow
Copy link
Contributor

kzantow commented Oct 20, 2022

Hi @106062 you're referring to a CPE, which should have all the CPE fields defined, in this case which ends with :*:*:*:*:*:*:*, which is required to be a valid CPE format (specifically, the "string binding format"). If you'd like to learn more about CPEs, please see: https://cpe.mitre.org/specification/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Archived in project
Development

No branches or pull requests

2 participants