Open
Description
It was recently brought to our attention that package level SBOMs can cause problems when generating and validating SBOMs with this tool. Consider the following flow:
- Project references a package which includes a package level SBOM in its content.
- User generates a SBOM based on the given project. The user points the BuildComponentPath to the directory which contains (among other things) the package SBOM and points the BuildDropPath to some other dir.
- As documented in this repo, this tool adds the package SBOM to the files section of the generated project SBOM, despite the fact that the package SBOM does not live within the BuildDropPath
- We have now generated a SBOM which includes a file in the file section that does not live in the BuildDropPath
- User later tries to validate the SBOM on a different machine, with only the BuildDropPath dir on disk. This results in a validation error because the package SBOM is in the files section but does not appear on disk.
As a result, we should consider removing the logic to add package SBOMs from the files section.