SBOM generation skips SPDX 3.0 documents when looking for external document references #981

pragnya17 · 2025-03-18T23:54:25Z

During SBOM generation (regardless of SPDX version), we skip SPDX 3.0 documents if they are in the build drop path. This means that they do not get added to the generated SBOM as external document references. During generation, the following warning message is also displayed to the user to indicate this behavior:

##[warning]Discovered SPDX at "C:\\Users\\ppandrate\\source\\repos\\sbom-tool\\TestResults\\Deploy_ppandrate 20250317T155644_5824\\E2E_GenerateAndRedactSPDX30Manifest_ReturnsNonZeroExitCode\\_manifest\\spdx_3.0\\manifest.spdx.json" is not SPDX-2.2 document, skipping

Is this behavior we are ok with? Do we want to include SPDX 3.0 documents in external document references?

The text was updated successfully, but these errors were encountered:

pragnya17 · 2025-04-01T18:08:55Z

This is not a release blocker for SPDX 3.0 so it is currently deprioritized.

pragnya17 added the needs triage label Mar 18, 2025

sfoslund added accepted and removed needs triage labels Mar 19, 2025

sfoslund assigned pragnya17 Mar 19, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

SBOM generation skips SPDX 3.0 documents when looking for external document references #981

SBOM generation skips SPDX 3.0 documents when looking for external document references #981

pragnya17 commented Mar 18, 2025

pragnya17 commented Apr 1, 2025

Uh oh!

SBOM generation skips SPDX 3.0 documents when looking for external document references #981

SBOM generation skips SPDX 3.0 documents when looking for external document references #981

Comments

pragnya17 commented Mar 18, 2025

pragnya17 commented Apr 1, 2025

Uh oh!