-
Notifications
You must be signed in to change notification settings - Fork 532
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create a package record for the artifact an SBOM described when creating a SPDX SBOM #1661
Labels
enhancement
New feature or request
Comments
Hi @eliaslevy we are planning on doing this -- there's definitely some overlap with: #1518 |
I agree that this is needed - even without containers. When creating an SBOM of a python project I want to be able to add metadata in the config file and/or command line - or if I create an SBOM within a build system based on a linux distro I want to document which system and when. |
This was referenced Jul 31, 2023
Closed
This was referenced Aug 15, 2023
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What would you like to be added:
Syft should create an SPDX Package to represent the artifact an SBOM describes when creating a SPDX SBOM.
Why is this needed:
The SPDX spec is silent on whether a package should be created within the SPDX document to represent the artifact or component associated with the SBOM. If the artifact is not modeled as a SPDX package at the root of the SPDX relationship tree, there is no place to record artifact metadata such as its digest, author, license, download location, etc.
For comparison, CycloneDX is explicit about this issue. The
metadata.component
field specifies the component that the SBOM describes, and it has the same schema as the dependentcomponents
, so you specify the artifact's digests (hashes
), author, licenses, cpe, purl, etc.Syft does not create a SPDX package for the artifact it analyzes. Thus, it does not record pertinent information, such as the author, digest, or license of the artifact. That means it can be difficult to identify what artifact an SBOM belong to and perform SBOM merging.
Additional context:
When creating a CyclonDX file Syft will fill out some of the
metadata.component
fields, although it fails to fill in thehashes
. If the artifact is a container image, it will fill outmetadata.component.version
with the container digest (e.g.,sha256:<digest>
).The text was updated successfully, but these errors were encountered: