apko icon indicating copy to clipboard operation
apko copied to clipboard
verified publisher icon chainguard-dev

sbom: fixup merging LicensingInfos during Image SBOM generation

Open xnox opened this issue 1 year ago • 0 comments

This fixes https://github.com/chainguard-dev/apko/pull/1127

With package SBOMs now containing custom license information (i.e. font-ubuntu), teach Image SBOM generator to merge those.

Error out if two packages use the same licence-ref but with different extracted license text, as that would be an invalid SBOM merge. This feels nicer than force renaming licenseIDs with multiple duplicate texts.

Tested by generating apko image with just font-ubuntu package, and verifying that with this change, the image sbom now passes checkers.

This should fix:

Unrecognized license reference: LicenseRef-ubuntu-font. license_expression must only use IDs from the license list or extracted licensing info, but is: LicenseRef-ubuntu-font

Error from the docker-selenium spdx json

xnox avatar May 20 '24 15:05 xnox