Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

syft generates SBOMs that don't meet SPDX spec #1568

Closed
surendrapathak opened this issue Feb 14, 2023 · 3 comments
Closed

syft generates SBOMs that don't meet SPDX spec #1568

surendrapathak opened this issue Feb 14, 2023 · 3 comments
Labels
bug Something isn't working

Comments

@surendrapathak
Copy link

While applying sbomqs quality checks on SBOMs, we found issues with syft-generated SBOMs.

For spdx-json, syft generates SBOMs that do not adhere to the SPDX spec.

What happened:

syft packages python:3.9.15-bullseye -o spdx-json > ~/Downloads/python-3.9.15-bullseye.spdx.json

The generated SBOM has a "files" section at line: 20350

However, none of the included 'file' has 'checksum', a required field

https://spdx.github.io/spdx-spec/v2.2.2/file-information/#84-file-checksum-field

What you expected to happen:

Generated SPDX to be a valid SPDX 2.2 document.

Anything else we need to know?:

Environment:

  • Output of syft version:
Application:        syft
Version:            0.65.0
JsonSchemaVersion:  6.0.0
BuildDate:          2023-01-04T17:00:24Z
GitCommit:          bc1edb9c8a2fb4824bfdcac6147edc2bbf47aaf6
GitDescription:     v0.65.0
Platform:           darwin/amd64
GoVersion:          go1.18.9
Compiler:           gc```

- OS (e.g: `cat /etc/os-release` or similar):
Mac 13.1
@surendrapathak surendrapathak added the bug Something isn't working label Feb 14, 2023
@tgerla tgerla added this to OSS Feb 14, 2023
@tgerla
Copy link
Contributor

tgerla commented Feb 14, 2023

Possibly related to #1401

@kzantow
Copy link
Contributor

kzantow commented Feb 14, 2023

Hi @surendrapathak you are correct, by default Syft does not generate checksums which results in invalid SDPX documents. You can, however, run Syft with the environment variables: SYFT_FILE_METADATA_CATALOGER_ENABLED=true SYFT_FILE_METADATA_DIGESTS=sha1 to cause the required SHA1 hashes to be calculated and included for files as well as PackageVerificationCode, e.g.:

SYFT_FILE_METADATA_CATALOGER_ENABLED=true SYFT_FILE_METADATA_DIGESTS=sha1 syft alpine:latest -o spdx

@spiffcs
Copy link
Contributor

spiffcs commented Feb 14, 2023

Adding a link to where we test for this in our cli suite:
https://github.com/anchore/syft/blob/main/test/cli/spdx_tooling_validation_test.go

@kzantow kzantow moved this to Backlog in OSS Feb 15, 2023
@spiffcs spiffcs closed this as completed Feb 22, 2023
@github-project-automation github-project-automation bot moved this from Backlog to Done in OSS Feb 22, 2023
@kzantow kzantow closed this as not planned Won't fix, can't repro, duplicate, stale Mar 2, 2023
@tgerla tgerla mentioned this issue Mar 9, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tgerla @surendrapathak @kzantow @spiffcs