You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
... I get a CycloneDX SBOM, BUT some components do NOT have a purl although there is a purl is in the properties.
Example:
This tzdata SBOM component ...
{
"name": "tzdata",
"SPDXID": "SPDXRef--at-rules-underscore-distroless~~apt~bookworm-underscore-tzdata-underscore-2025b-0-p-deb12u1-underscore-amd64",
"versionInfo": "2025b-0+deb12u1",
"supplier": "Person: GNU Libc Maintainers \\\\[email protected]\\\\u003e",
"downloadLocation": "https://snapshot.debian.org/archive/debian/20250327T204130Z/pool/main/t/tzdata/tzdata_2025b-0+deb12u1_all.deb",
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "a17042cb951b80d0c9462a73dec6ad31fc6adeae4ed92209601dc97d1019d7f2"
}
],
"homepage": "https://www.iana.org/time-zones",
"copyrightText": "Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/\nSource: https://www.iana.org/time-zones\nUpstream-Contact: The Internet Assigned Numbers Authority (IANA)\n Commentary should be addressed to [email protected]\n\nFiles: *\nCopyright: The Internet Assigned Numbers Authority (IANA)\nLicense: public-domain\n This database is in the public domain.\n",
"summary": "time zone and daylight-saving time data",
"description": "time zone and daylight-saving time data\nThis package contains data required for the implementation of\nstandard local time for many representative locations around the\nglobe. It is updated periodically to reflect changes made by\npolitical bodies to time zone boundaries, UTC offsets, and\ndaylight-saving rules.",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:deb/debian/tzdata@2025b-0+deb12u1?arch=all"
}
]
},
... gets converted to ...
{
"type": "library",
"name": "tzdata",
"version": "2025b-0\u002Bdeb12u1",
"description": "time zone and daylight-saving time data\nThis package contains data required for the implementation of\nstandard local time for many representative locations around the\nglobe. It is updated periodically to reflect changes made by\npolitical bodies to time zone boundaries, UTC offsets, and\ndaylight-saving rules.",
"hashes": [
{
"alg": "SHA-256",
"content": "a17042cb951b80d0c9462a73dec6ad31fc6adeae4ed92209601dc97d1019d7f2"
}
],
"licenses": [
{}
],
"copyright": "Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/\nSource: https://www.iana.org/time-zones\nUpstream-Contact: The Internet Assigned Numbers Authority (IANA)\n Commentary should be addressed to [email protected]\n\nFiles: *\nCopyright: The Internet Assigned Numbers Authority (IANA)\nLicense: public-domain\n This database is in the public domain.\n",
"externalReferences": [
{
"url": "https://snapshot.debian.org/archive/debian/20250327T204130Z/pool/main/t/tzdata/tzdata_2025b-0\u002Bdeb12u1_all.deb",
"type": "distribution"
},
{
"url": "https://www.iana.org/time-zones",
"type": "website"
}
],
"properties": [
{
"name": "spdx:spdxid",
"value": "SPDXRef--at-rules-underscore-distroless~~apt~bookworm-underscore-tzdata-underscore-2025b-0-p-deb12u1-underscore-amd64"
},
{
"name": "spdx:package:summary",
"value": "time zone and daylight-saving time data"
},
{
"name": "spdx:external-reference:package-manager:purl",
"value": "pkg:deb/debian/tzdata@2025b-0\u002Bdeb12u1?arch=all"
},
{
"name": "spdx:download-location",
"value": "https://snapshot.debian.org/archive/debian/20250327T204130Z/pool/main/t/tzdata/tzdata_2025b-0\u002Bdeb12u1_all.deb"
},
{
"name": "spdx:homepage",
"value": "https://www.iana.org/time-zones"
}
]
}
As stated above, the new CDX component does NOT have a purl, but in properties, there is spdx:external-reference:package-manager:purl which – as far as I understand - could be used.
Am I doing something wrong here?
The text was updated successfully, but these errors were encountered:
I want to convert a SPDX SBOM to CycloneDX. The SBOM I want to convert is from the Google Distroless project, and one can get it via
cosign download attestation \ --platform linux/amd64 \ gcr.io/distroless/static-debian12:debug-nonroot@sha256:3d0f463de06b7ddff27684ec3bfd0b54a425149d0f8685308b1fdf297b0265e9 \ | jq -r .payload \ | base64 -d \ | jq -r '.' > sbom.spdx.jsonWhen converting the SBOM using ...
... I get a CycloneDX SBOM, BUT some components do NOT have a
purlalthough there is apurlis in theproperties.Example:
This
tzdataSBOM component ...{ "name": "tzdata", "SPDXID": "SPDXRef--at-rules-underscore-distroless~~apt~bookworm-underscore-tzdata-underscore-2025b-0-p-deb12u1-underscore-amd64", "versionInfo": "2025b-0+deb12u1", "supplier": "Person: GNU Libc Maintainers \\\\[email protected]\\\\u003e", "downloadLocation": "https://snapshot.debian.org/archive/debian/20250327T204130Z/pool/main/t/tzdata/tzdata_2025b-0+deb12u1_all.deb", "checksums": [ { "algorithm": "SHA256", "checksumValue": "a17042cb951b80d0c9462a73dec6ad31fc6adeae4ed92209601dc97d1019d7f2" } ], "homepage": "https://www.iana.org/time-zones", "copyrightText": "Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/\nSource: https://www.iana.org/time-zones\nUpstream-Contact: The Internet Assigned Numbers Authority (IANA)\n Commentary should be addressed to [email protected]\n\nFiles: *\nCopyright: The Internet Assigned Numbers Authority (IANA)\nLicense: public-domain\n This database is in the public domain.\n", "summary": "time zone and daylight-saving time data", "description": "time zone and daylight-saving time data\nThis package contains data required for the implementation of\nstandard local time for many representative locations around the\nglobe. It is updated periodically to reflect changes made by\npolitical bodies to time zone boundaries, UTC offsets, and\ndaylight-saving rules.", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:deb/debian/tzdata@2025b-0+deb12u1?arch=all" } ] },... gets converted to ...
{ "type": "library", "name": "tzdata", "version": "2025b-0\u002Bdeb12u1", "description": "time zone and daylight-saving time data\nThis package contains data required for the implementation of\nstandard local time for many representative locations around the\nglobe. It is updated periodically to reflect changes made by\npolitical bodies to time zone boundaries, UTC offsets, and\ndaylight-saving rules.", "hashes": [ { "alg": "SHA-256", "content": "a17042cb951b80d0c9462a73dec6ad31fc6adeae4ed92209601dc97d1019d7f2" } ], "licenses": [ {} ], "copyright": "Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/\nSource: https://www.iana.org/time-zones\nUpstream-Contact: The Internet Assigned Numbers Authority (IANA)\n Commentary should be addressed to [email protected]\n\nFiles: *\nCopyright: The Internet Assigned Numbers Authority (IANA)\nLicense: public-domain\n This database is in the public domain.\n", "externalReferences": [ { "url": "https://snapshot.debian.org/archive/debian/20250327T204130Z/pool/main/t/tzdata/tzdata_2025b-0\u002Bdeb12u1_all.deb", "type": "distribution" }, { "url": "https://www.iana.org/time-zones", "type": "website" } ], "properties": [ { "name": "spdx:spdxid", "value": "SPDXRef--at-rules-underscore-distroless~~apt~bookworm-underscore-tzdata-underscore-2025b-0-p-deb12u1-underscore-amd64" }, { "name": "spdx:package:summary", "value": "time zone and daylight-saving time data" }, { "name": "spdx:external-reference:package-manager:purl", "value": "pkg:deb/debian/tzdata@2025b-0\u002Bdeb12u1?arch=all" }, { "name": "spdx:download-location", "value": "https://snapshot.debian.org/archive/debian/20250327T204130Z/pool/main/t/tzdata/tzdata_2025b-0\u002Bdeb12u1_all.deb" }, { "name": "spdx:homepage", "value": "https://www.iana.org/time-zones" } ] }As stated above, the new CDX component does NOT have a
purl, but inproperties, there isspdx:external-reference:package-manager:purlwhich – as far as I understand - could be used.Am I doing something wrong here?
The text was updated successfully, but these errors were encountered: