flagger icon indicating copy to clipboard operation
flagger copied to clipboard
verified publisher icon fluxcd

Invalid SPDX generated with the release

Open surendrapathak opened this issue 2 years ago • 2 comments

Describe the bug

While applying quality checks on SBOMs , I found flagger's released spdx fails to adhere to SPDX2.3 spec. It requires File attribute to have at least one SHA1 that syft fails to generate.

Following issue has been filed at syft : https://github.com/anchore/syft/issues/1616. This is an FYI for flagger.

To Reproduce

N/A

Expected behavior

A valid SPDX.

Additional context

  • Flagger version:
  • Kubernetes version:
  • Service Mesh provider:
  • Ingress provider:

surendrapathak avatar Feb 24 '23 08:02 surendrapathak

This also affects https://github.com/fluxcd/flux2

Thanks for the report @surendrapathak

stefanprodan avatar Feb 24 '23 10:02 stefanprodan

I noticed this repeated at -

  • https://github.com/fluxcd/helm-controller/
  • https://github.com/fluxcd/image-automation-controller/
  • https://github.com/fluxcd/image-reflector-controller/
  • https://github.com/fluxcd/source-controller/
  • https://github.com/fluxcd/notification-controller/
  • https://github.com/fluxcd/flux2/
  • https://github.com/fluxcd/flagger/

All with the same root issue of checksums. So, one sweep at syft fixes all of them. At Interlynk, we monitor similar issues here - https://github.com/interlynk-io/sbomqs/discussions/39 to help improve the ecosystem.

surendrapathak avatar Feb 24 '23 19:02 surendrapathak