SPDX JSON has external reference category of PACKAGE_MANAGER instead of PACKAGE-MANAGER #1236
Labels
bug
Something isn't working
Comments
|
Turns out this may be due to an inadvertent update in the JSON schema, see this. |
|
We'll keep an eye on where it goes on that issue and what they decide. Great find thanks for the issue @ddillard! Is this currently throwing any errors of compatibility on your end with this inadvertent update? |
|
No, this isn't causing me any issues the moment. I was just doing some testing and noticed the discrepancy. If the proposed fix is implemented no changes will be required in syft, though I do believe grype might need a minor update. |
|
Both are going to be supported so no issue for SBOM generation. |
This was referenced Oct 17, 2022
This was referenced Oct 31, 2022
This was referenced Nov 7, 2022
|
Just a note: there was a request to undo this change: #1596 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened:
Generated an SBOM in SPDX JSON format and took a look at the output and noticed it has external reference category of "PACKAGE_MANAGER".
What you expected to happen:
Per the SPDX JSON schema the value should be "PACKAGE-MANAGER", i.e. the separator should be a hyphen, not an underscore.
How to reproduce it (as minimally and precisely as possible):
Just run syft against a container and generate an SBOM in SPDX JSON format.
Anything else we need to know?:
Don't think so.
Environment:
Output of
syft version:0.58.0
OS (e.g:
cat /etc/os-releaseor similar):Ubuntu 10.04.6 LTS
The text was updated successfully, but these errors were encountered: