-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CDX SBOM output appends &uuid to the purl field #1224
Comments
See the Project |
Also if you download the (very large) scan results of sh-ubuntu1-docker to xlsx or json, the purl values are what you might expect, without the appended uuid value. |
Signed-off-by: tdruez <[email protected]>
… (#1225) Signed-off-by: tdruez <[email protected]>
There was a bug where the |
Describe the bug
All version of the CDX SBOM (1.4, 1.5, 1.6) output from SCIO append the package_uid from a Scan to the purl - an example is: pkg:deb/ubuntu/[email protected]?arch=amd64&uuid=3ee6bb6c-8a74-470c-900b-378f48e70b70. The same value is used for bom-ref and in the dependsOn section of the SBOM.
This format probably makes sense for the bom-ref field, but it is a bug for the purl field because it is an internal "document" reference. I am not sure about the dependency information.
I do not see this bug in the SPDX output.
System configuration
Expected behavior
SCIO should report a correct purl for a package without scan-specific data.
The text was updated successfully, but these errors were encountered: