lib4sbom icon indicating copy to clipboard operation
lib4sbom copied to clipboard
verified publisher icon anthonyharrison

Conversion of cdx json sbom to spdx json sbom file misses download location and license information

Open angelwn opened this issue 1 year ago • 1 comments

The license information and download location of the conversion from cdx.json to spdx.json misses the value.

`from lib4sbom.parser import SBOMParser from lib4sbom.generator import SBOMGenerator from lib4sbom.data.document import SBOMDocument

test_parser = SBOMParser() test_parser.parse_file("gl-sbom-conan-conan.cdx.json")`

One example package in gl-sbom-conan-conan.cdx.json: { "name": "openssl", "version": "3.1.3", "purl": "pkg:conan/[email protected]", "type": "library", "bom-ref": "pkg:conan/[email protected]", "licenses": [ { "license": { "id": "Apache-2.0" } } ], "URL": "https://gitlab.com/test/libraries/open-source-libraries/-/tree/main/packages/openssl", "description": "A toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols", "copyrightText": "", "downloadLocation": "['https://www.openssl.org/source/openssl-3.1.3.tar.gz', 'https://github.com/openssl/openssl/releases/download/openssl-3.1.3/openssl-3.1.3.tar.gz']", "hashes": [ { "alg": "SHA-256", "content": "f0316a2ebd89e7f2352976445458689f804755958788c466692fb2a188b2eacf6" } ], "patch_file": "[{'patch_file': 'patches/3.1.1-fix-qcc-compilation.patch', 'base_path': ''}]" },

When converted to gl-sbom-conan-conan.spdx.json, the downloadLocation and licenseConcluded got NOASSERTION instead of the actual value. { "SPDXID": "SPDXRef-Package-46-openssl", "name": "openssl", "versionInfo": "3.1.3", "primaryPackagePurpose": "LIBRARY", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "checksums": [ { "algorithm": "SHA256", "checkumValue": "f0316a2ebd89e7f2352976445458689f804755958788c466692fb2a188b2eacf6" } ], "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "description": "A toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:conan/[email protected]" } ] },

angelwn avatar Jan 16 '24 14:01 angelwn

@angelwn Can you provide the full SBOM to see the full context as some of the elements don't seem to be correct according to the CycloneDX specification?

anthonyharrison avatar Feb 09 '24 12:02 anthonyharrison