You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It was recently brought to our attention that package level SBOMs can cause problems when generating and validating SBOMs with this tool. Consider the following flow:
Project references a package which includes a package level SBOM in its content.
User generates a SBOM based on the given project. The user points the BuildComponentPath to the directory which contains (among other things) the package SBOM and points the BuildDropPath to some other dir.
As documented in this repo, this tool adds the package SBOM to the files section of the generated project SBOM, despite the fact that the package SBOM does not live within the BuildDropPath
We have now generated a SBOM which includes a file in the file section that does not live in the BuildDropPath
User later tries to validate the SBOM on a different machine, with only the BuildDropPath dir on disk. This results in a validation error because the package SBOM is in the files section but does not appear on disk.
As a result, we should consider removing the logic to add package SBOMs from the files section.
The text was updated successfully, but these errors were encountered:
It was recently brought to our attention that package level SBOMs can cause problems when generating and validating SBOMs with this tool. Consider the following flow:
As a result, we should consider removing the logic to add package SBOMs from the files section.
The text was updated successfully, but these errors were encountered: