Surendra Pathak issues

Results 26 issues of


                                            Surendra Pathak

Invalid SPDX generated with the release

### Describe the bug While applying [quality checks](https://github.com/interlynk-io/sbomqs) on SBOMs , I found flagger's released spdx fails to adhere to SPDX2.3 spec. It requires File attribute to have at least...

FileName: question about expected behavior

The [2.3 spec for File Information](https://spdx.github.io/spdx-spec/v2.3/file-information/) clearly asks for following format: ``` A relative filename with the root of the package archive or directory. In general, every filename is preceded...

Breaking awesomeSBOM listing along NTIA tools

NTIA has debated categorizing toling along the lines of - Produce / Consume and Transform https://ntia.gov/sites/default/files/publications/ntia_sbom_tooling_taxonomy-2021mar30_0.pdf I am happy to put together changes to the awesomeSBOM based on that categorization...

Invalid purl passes as valid

PURL - `'pkg:maven/org.apache.commons:[email protected]'` passes as valid > p.PackageURL.fromString('pkg:maven/org.apache.commons:[email protected]') PackageURL { type: 'maven', name: 'org.apache.commons:io', namespace: null, version: '1.3.4', qualifiers: null, subpath: null } However, it shouldn't be because the namespace...

Export and Import VEX fails to match Vulnerabilities correctly

### Current Behavior If a CVE affects multiple components in the SBOM, the exploitability status is updated only for one of those components. Exporting the status as VEX and importing...

defect

size/M

SPDX tag-value parsing fails for ExternalDocumentRef in document.

The attached file fails to parse with the following error message (please remove .txt before processing) ``` Error: received unknown tag ExternalDocumentRef in CreationInfo section ``` ExternalDocumentRef is a valid...

SPDX tag-value parsing fails for CRLF terminated file

The attached file fails to parse with the following error message (please remove .txt before processing) `Error: error processing file` This is likely due to its CRLF line endings. After...

Invalid SPDX published for fatbom project

**Name of the app** fatbom **Describe the bug** The merged sbom built with the project is invalid. **To Reproduce** While applying [quality checks](https://github.com/interlynk-io/sbomqs) on SBOMs , I found merged spdx...

Improvements in reportFormat JSON for errors during processing

When `--reportFormat` is JSON, we must ensure: 1. Output is a valid JSON 2. Score is set to 0 if there are any internal or processing errors. 3. An error...

[New Check] Primary component lack of version goes undetected

For the SBOM here - https://sbomlc.s3.amazonaws.com/sbom4python-0.8.0_paramiko-3.1.0.cdx.json?AWSAccessKeyId=AKIA2ZBFUJ4NNQGYD5OF&Signature=yAQj8D2ZcNKMLSe242nV3QF8X3g%3D&Expires=1711592185 ``` sbomgr packages -EP 'pypi/cryptography' -O 'filen,docn,docv,pkgn,pkgv' sbomlc/sbom4python-0.8.0_paramiko-3.1.0.cdx.json sbomlc/sbom4python-0.8.0_paramiko-3.1.0.cdx.json Python-paramiko cryptography 40.0.1 ``` `docv` results in the blank. This is because the metada:component is...