Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Package SBOMs are included in SBOM files section #956

Open
sfoslund opened this issue Mar 3, 2025 · 0 comments
Open

Package SBOMs are included in SBOM files section #956

sfoslund opened this issue Mar 3, 2025 · 0 comments
Labels
needs triage Default status upon issue submission

Comments

@sfoslund
Copy link
Member

sfoslund commented Mar 3, 2025

It was recently brought to our attention that package level SBOMs can cause problems when generating and validating SBOMs with this tool. Consider the following flow:

  • Project references a package which includes a package level SBOM in its content.
  • User generates a SBOM based on the given project. The user points the BuildComponentPath to the directory which contains (among other things) the package SBOM and points the BuildDropPath to some other dir.
  • As documented in this repo, this tool adds the package SBOM to the files section of the generated project SBOM, despite the fact that the package SBOM does not live within the BuildDropPath
  • We have now generated a SBOM which includes a file in the file section that does not live in the BuildDropPath
  • User later tries to validate the SBOM on a different machine, with only the BuildDropPath dir on disk. This results in a validation error because the package SBOM is in the files section but does not appear on disk.

As a result, we should consider removing the logic to add package SBOMs from the files section.

@sfoslund sfoslund added the needs triage Default status upon issue submission label Mar 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs triage Default status upon issue submission
Projects
None yet
Development

No branches or pull requests

1 participant