You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What you expected to happen:
I'm not sure what's the expected good answer here. When opening that Jar, there is no manifest to be scanned upon for Syft to get any additional metadata.
I suppose it would be either:
Not adding the jar as package as it does not give any factual information on any package
Failing the scan and noticing the user that the package does not has any metadata to be scanned?
Steps to reproduce the issue:
git clone https://github.com/google/tink.git
cd tink
syft .
edonadei
changed the title
Scanning a folder with a jar archive creates a SPDX package without versionInfo (Non-NTIA compliant)
Scanning a folder with a jar archive with no metadata creates a SPDX package without versionInfo (Non-NTIA compliant)
Aug 17, 2023
Hi @edonadei, thanks for the report. We're discussing this problem and we've come up with a couple of possible behaviors in these kinds of cases:
error out and refuse to create an NTIA-non-compliant SPDX entirely
make a file record instead of a package record if we can't determine the package version
create a package record but populate the version field with a special string that indicates "we don't know", which the user would then need to resolve manually.
we could also implement an "NTIA mode" in Syft that would produce an SBOM with placeholder values for the unknown fields required by NTIA
I think we have enough information to move forward on this, so we'll put this in backlog, but we would be glad to hear your feedback on these ideas and discuss them.
What happened:
When trying to scan a folder that contains a jar, Syft is creating a package of that jar without versionInfo.
An example can be found here: https://github.com/google/tink/tree/master/java_src/examples/android/helloworld/gradle/wrapper
It will generate an entry like this:
What you expected to happen:
I'm not sure what's the expected good answer here. When opening that Jar, there is no manifest to be scanned upon for Syft to get any additional metadata.
I suppose it would be either:
Steps to reproduce the issue:
Anything else we need to know?:
I used this checker to verify if the SBOM is compliant https://github.com/spdx/ntia-conformance-checker.
Environment:
syft version
: v.0.87.1cat /etc/os-release
or similar): UbuntuThe text was updated successfully, but these errors were encountered: