Empty purl in SPDX output

[vargenau]

What happened:

SPDX output contains empty purl:

ExternalRef: PACKAGE-MANAGER purl pkg:/

which is not valid purl.

What you expected to happen:

The line above should be removed from the output.

Steps to reproduce the issue:

syft docker:bitnami/mongodb:6.0.6-debian-11-r0 --scope all-layers -o spdx-tag-value@2.2 

mongodb-6.0.6-debian-11-r0.spdx.txt

Anything else we need to know?:

Environment:

• Output of syft version: syft 0.85.0
• OS (e.g: cat /etc/os-release or similar): Ubuntu 2023.04

[vargenau]

It gives warnings in Grype:

[0001]  WARN unable to parse purl: pkg:/ from-lib=syft
[0002]  WARN unable to parse purl: pkg:/ from-lib=syft

[tgerla]

Thanks, @vargenau! We appreciate the report. We'll look at this when we can, and if you would like to look into it, feel free to let us know and we can get you pointed in the right direction.

[kzantow]

Hi @vargenau this appears to be fixed in the latest Syft (v0.86.1, fixed as part of this PR). I'm going to close this as completed, but please ping us if you continue to see this issue!

[vargenau]

I confirm in is fixed in syft 0.87.0

[kzantow]

Thanks for following up, @vargenau!