v0.3.0 SPDX SBOM Does Not Have Unique SPDXID Package IDs #923
Comments
|
I think this was intended for anchore/syft , I'll transfer there. Regarding the specific issue, in short, I agree. Originally our package IDs in the syft-json format were random IDs, so generating an SBOM from a source twice wouldn't produce the same SBOM. We eventually moved over to stable IDs that are based on the package definition, however, didn't update the package IDs created for SPDX to reference the new syft model IDs. We should probably change this. The only other consideration not to do this is the fact that we could loose semantic usefulness of the IDs, but I think this is a secondary concern, and there are ways to solve that problem as well (if it is a problem). |
|
Thanks, @wagoodman. |
|
Side note, @jspeed-meyers we released an experimental conversion feature in the latest syft, where you can convert from SPDX-json to tag-value by: |
luhring
added
the
I/O
|
I'll start taking a look at this today to see how we can get more uniqueness in the ID, specifically the cases where |
|
Hi @jspeed-meyers sorry for the delay here, but this has actually been fixed for a while -- we're appending a unique hash to the SPDXIDs. I'm going to close this but please reopen if you continue to have any issues! |
What happened:
I was trying to convert the JSON format of the v0.3.0 SBOM to the tag-value format. The tool I was using reported multiple non-unique SPDXID package IDs and therefore did not work. For instance, there are multiple packages with the SPDXID of
SPDXRef-Package-go-module-github.com/adrg/xdg-v0.3.3.What you expected to happen:
I expected each package's SPDXID to be unique. See the SPDX spec: https://spdx.github.io/spdx-spec/package-information/ - The spec has this description of the Package SPDX identifier field: "Uniquely identify any element in an SPDX document which may be referenced by other elements."
How to reproduce it (as minimally and precisely as possible):
I was using this tool: https://github.com/spdx/tools-java with this command:
java -jar ../../external-tools/tools-java-1.0.4-jar-with-dependencies.jar Convert chronicle-sbom.spdx.json chronicle-sbom.spdx JSON TagAnything else we need to know?:
You could just say, "This isn't important." And that's fine! But I thought you might be curious and, additionally, it might lead to an upstream fix, if there is even a bug!, in syft.
The text was updated successfully, but these errors were encountered: