Surendra Pathak

icon indicating a website link https://www.interlynk.io/ icon indicating an email [email protected]

icon company @interlynk-io icon location San Francisco, CA

Results 13 comments of Surendra Pathak

SPDX tag-value parsing fails for CRLF terminated file

Also, to compare the problematic/good sbom, you can try : 1. Problem ones: https://github.com/shamblett/cbor/releases/tag/5.1.2 (part of zip) 2. Good ones for centos:latest built with syft 0.73.0 : https://sbomlc.s3.amazonaws.com/syft-0.73.0_centos-latest.spdx.tv?AWSAccessKeyId=AKIA2ZBFUJ4NNQGYD5OF&Signature=kvkkSvDCo%2FXt6XiO4nwlDnNCyl0%3D&Expires=1709195015

Invalid SPDX generated with the release

I noticed this repeated at - - https://github.com/fluxcd/helm-controller/ - https://github.com/fluxcd/image-automation-controller/ - https://github.com/fluxcd/image-reflector-controller/ - https://github.com/fluxcd/source-controller/ - https://github.com/fluxcd/notification-controller/ - https://github.com/fluxcd/flux2/ - https://github.com/fluxcd/flagger/ All with the same root issue of checksums. So, one...

FileName: question about expected behavior

Perfect. That's what I was guessing as well. Thanks for confirming @goneall !

Invalid purl passes as valid

Hi @jdalton - The concern is that PURL such as: `pkg:maven/org.apache.commons:[email protected]` should be marked [invalid](https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst) for violating the namespace rule: However, because packageurl-js parses these successfully, they show up in...

Invalid purl passes as valid

Thanks for the note @jdalton I am getting these: ```js PackageURL { type: 'maven', name: 'org.apache.commons:io', namespace: null, version: '1.3.4', qualifiers: null, subpath: null } ``` and ```js PackageURL {...

Invalid purl passes as valid

Thanks! 🥇2.0.0 correctly flags the one without the name and matches the spec! I appreciate the change around it.

SPDX tag-value parsing fails for ExternalDocumentRef in document.

@kzantow Thanks for checking it out. Here is what I think is going on: 1. [parsePair](https://github.com/spdx/tools-golang/blob/908a516e6053c15f14c831121c9f2894fc65e1b5/spdx/v2/v2_2/tagvalue/reader/parser.go#L34) is responsible for running parser with implicit assumption that state of the parser (`parser.st`)...

Invalid SPDX published for fatbom project

Wow - thanks for a quick update :) Feel free to star sbomqs - we have a lot of work to do get the quality of sbom go up. We...

Support for strict specification adherence with analysis

I recommend a new 'validate' command for ensuring adherence to spec. The command validates basic structure and then rules setup above.

Align rules with OWASP SCVS initiative

Duplicates #93