Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid SPDX generated for flagger #1616

Closed
surendrapathak opened this issue Feb 24, 2023 · 1 comment
Closed

Invalid SPDX generated for flagger #1616

surendrapathak opened this issue Feb 24, 2023 · 1 comment
Labels
bug Something isn't working format:spdx SPDX related enhancement or bug

Comments

@surendrapathak
Copy link

Flagger uses sbom-action to produce spdx with release artifacts. However, the file is an invalid SPDX.

SPDX2.3 requires at least one SHA to be SHA1 for File.

However, the SBOM is missing SHA1 checksums for all files starting line 1835 -

"checksums": [
    {
     "algorithm": "SHA256",
     "checksumValue": "21fd7be6572c8892b02ff91926cf72f456e150c50b58e5f2bb534077bf455551"
    }

Steps to reproduce the issue:

Anything else we need to know?:

Environment:

  • Output of syft version:
    From SBOM: "Tool: syft-0.68.1"

  • OS (e.g: cat /etc/os-release or similar):
@surendrapathak surendrapathak added the bug Something isn't working label Feb 24, 2023
@surendrapathak surendrapathak mentioned this issue Feb 24, 2023
Open
@tgerla tgerla added this to OSS Feb 27, 2023
@wagoodman wagoodman added the format:spdx SPDX related enhancement or bug label Mar 2, 2023
@tgerla
Copy link
Contributor

tgerla commented Mar 9, 2023

Hi @surendrapathak, the solution here should be the same as the previous ticket: #1568 (comment) -- if you set the environment variables @kzantow listed, you should see the checksums in the result.

@tgerla tgerla moved this to Awaiting Response in OSS Mar 9, 2023
@tgerla tgerla closed this as not planned Won't fix, can't repro, duplicate, stale May 4, 2023
@github-project-automation github-project-automation bot moved this from Awaiting Response to Done in OSS May 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working format:spdx SPDX related enhancement or bug
Projects
OSS
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tgerla @wagoodman @surendrapathak