SPDX2.2: bom generates SBOM with invalid value for packageVerificationCodeValue #230
Labels
kind/bug
Categorizes issue or PR as related to a bug.
sig/release
Categorizes an issue or PR as relevant to SIG Release.
What happened:
While applying quality checks on SBOMs, I found bom failing to adhere to the strict 2.2 spec for json format
results in the attached file with the invalid field -
However, this is a required field with a non-empty value when
filesAnalyzed
is true and for the attached SBOM, the field should be skipped (filesAnalyzed: false
)https://spdx.github.io/spdx-spec/v2.2.2/package-information/#79-package-verification-code-field
This causes other tools that rely on strict checks (such as [https://github.com/spdx/tools-python/blob/72780a48d830b29c5d8c85c27e9ddbf39c22b6f6/spdx/utils.py#L37-L39](https://github.com/spdx/tools-%5Bpython/blob/72780a48d830b29c5d8c85c27e9ddbf39c22b6f6/spdx/utils.py#L37-L39%5D(https://github.com/spdx/tools-python/blob/f934ae27cc76c20f8e701bf2503e3ea521a9bb88/spdx/parsers/jsonyamlxml.py#L1295))) to barf.
What you expected to happen:
packageVerificationCode with valid values or omitted
How to reproduce it (as minimally and precisely as possible):
bom generate --format json -i busybox > bom.spdx.json
Anything else we need to know?:
Environment:
cat /etc/os-release
):uname -a
):bom.spdx.json.txt
The text was updated successfully, but these errors were encountered: