[New Check] Primary component lack of version goes undetected #136

surendrapathak · 2023-04-06T22:44:52Z

For the SBOM here -
https://sbomlc.s3.amazonaws.com/sbom4python-0.8.0_paramiko-3.1.0.cdx.json?AWSAccessKeyId=AKIA2ZBFUJ4NNQGYD5OF&Signature=yAQj8D2ZcNKMLSe242nV3QF8X3g%3D&Expires=1711592185

sbomgr packages -EP 'pypi/cryptography' -O 'filen,docn,docv,pkgn,pkgv' sbomlc/sbom4python-0.8.0_paramiko-3.1.0.cdx.json
sbomlc/sbom4python-0.8.0_paramiko-3.1.0.cdx.json	Python-paramiko		cryptography	40.0.1

docv results in the blank.

This is because the metada:component is missing the version:

"metadata": {
    "timestamp": "2023-03-28T19:16:23Z",
    "tools": [
      {
        "name": "sbom4python",
        "version": "0.8.0"
      }
    ],
    "component": {
      "type": "application",
      "bom-ref": "CDXRef-DOCUMENT",
      "name": "Python-paramiko"
    }
  },

However, details clearly specify that value is known:

"type": "library",
      "bom-ref": "1-paramiko",
      "name": "paramiko",
      "version": "3.1.0",
      "supplier": {
        "name": "Jeff Forcier",
        "contact": [
          {
            "email": "[email protected]"
          }
        ]
      },

I think we should create a check for version and other basic details in the primary component.

The text was updated successfully, but these errors were encountered:

surendrapathak self-assigned this Apr 6, 2023

surendrapathak added the Next Release label Jul 3, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[New Check] Primary component lack of version goes undetected #136

[New Check] Primary component lack of version goes undetected #136

surendrapathak commented Apr 6, 2023

[New Check] Primary component lack of version goes undetected #136

[New Check] Primary component lack of version goes undetected #136

Comments

surendrapathak commented Apr 6, 2023