You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What would you like to be added:
For container scans, SPDX output should contain a container package (with Primary Package Purpose set to CONTAINER), which is what the SPDXRef-DOCUMENT DESCRIBES relationship should point to.
Packages found within the container should have CONTAINS relationships from the container.
While investigating this, it would be good to understand if packages for each layer within the container should be added in between. It seems both tern and the k8s bom tool generate SPDX from containers in this fashion: e.g. the SPDX relationships build a graph like: container -> layer -> package
Why is this needed:
More closely align with other tools and standards.
The text was updated successfully, but these errors were encountered:
What would you like to be added:
For container scans, SPDX output should contain a container package (with Primary Package Purpose set to
CONTAINER
), which is what theSPDXRef-DOCUMENT DESCRIBES
relationship should point to.Packages found within the container should have
CONTAINS
relationships from the container.While investigating this, it would be good to understand if packages for each layer within the container should be added in between. It seems both tern and the k8s bom tool generate SPDX from containers in this fashion: e.g. the SPDX relationships build a graph like:
container -> layer -> package
Why is this needed:
More closely align with other tools and standards.
The text was updated successfully, but these errors were encountered: