Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CDX SBOM output appends &uuid to the purl field #1224

Closed
mjherzog opened this issue May 9, 2024 · 3 comments
Closed

CDX SBOM output appends &uuid to the purl field #1224

mjherzog opened this issue May 9, 2024 · 3 comments
Assignees
@tdruez @DennisClark
Labels
bug Something isn't working high priority

Comments

@mjherzog
Copy link
Member

mjherzog commented May 9, 2024
edited

Describe the bug
All version of the CDX SBOM (1.4, 1.5, 1.6) output from SCIO append the package_uid from a Scan to the purl - an example is: pkg:deb/ubuntu/libkrb5support0@1.17-6ubuntu4.4?arch=amd64&uuid=3ee6bb6c-8a74-470c-900b-378f48e70b70. The same value is used for bom-ref and in the dependsOn section of the SBOM.
This format probably makes sense for the bom-ref field, but it is a bug for the purl field because it is an internal "document" reference. I am not sure about the dependency information.
I do not see this bug in the SPDX output.

System configuration

  • Which version of ScanCode.io are you running? v34.4.0
  • Are you running the app using Docker? Yes

Expected behavior
SCIO should report a correct purl for a package without scan-specific data.
@mjherzog mjherzog added bug Something isn't working high priority labels May 9, 2024
@DennisClark
Copy link
Member

DennisClark commented May 10, 2024
edited

See the Project sh-ubuntu1-docker on Staging SCIO for a good example. When you view the Packages in the SCIO UI, there is no uuid at the end of the purl, but a generated CDX SBOM appends one at the end of the purl for each package.

@DennisClark
Copy link
Member

Also if you download the (very large) scan results of sh-ubuntu1-docker to xlsx or json, the purl values are what you might expect, without the appended uuid value.

tdruez added a commit that referenced this issue May 10, 2024
@tdruez
Fix the content of the package_url field in CycloneDX outputs #1224
dcc1fc7 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue May 10, 2024
@tdruez
Fix the content of the package_url field in CycloneDX outputs #1224
9afa9d7 
… (#1225)

Signed-off-by: tdruez <tdruez@nexb.com>
@tdruez
Copy link
Member

tdruez commented May 10, 2024

There was a bug where the bom_ref value was also used to set the package_url field in the CycloneDX output.
Fixed in #1225

@tdruez tdruez closed this as completed May 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tdruez tdruez

@DennisClark DennisClark

Labels
bug Something isn't working high priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tdruez @mjherzog @DennisClark