Invalid SPDX published for fatbom project

Open surendrapathak opened this issue 2 years ago • 2 comments

Name of the app fatbom

Describe the bug The merged sbom built with the project is invalid.

To Reproduce While applying quality checks on SBOMs , I found merged spdx to be invalid. A quick check against spdx validator shows:

empty DocumentNamespace
No Created date

Expected behavior Published sbom should be a valid SPDX document

Additional context SBOM: https://github.com/sbs2001/fatbom/releases/download/v0.0.1/semi_merged_bom.json

Feb 24 '23 07:02 surendrapathak

@surendrapathak thanks ! Didn't knew about the tool, great work there. I'll fix the error in next release.

Feb 24 '23 08:02 sbs2001

Wow - thanks for a quick update :) Feel free to star sbomqs - we have a lot of work to do get the quality of sbom go up. We are tracking them all here : https://github.com/interlynk-io/sbomqs/discussions/39

Feb 24 '23 08:02 surendrapathak