Invalid SPDX published for fatbom project
surendrapathak opened this issue · 2 comments
surendrapathak commented
Name of the app
fatbom
Describe the bug
The merged sbom built with the project is invalid.
To Reproduce
While applying quality checks on SBOMs , I found merged spdx to be invalid.
A quick check against spdx validator shows:
- empty DocumentNamespace
- No Created date
Expected behavior
Published sbom should be a valid SPDX document
Additional context
SBOM: https://github.com/sbs2001/fatbom/releases/download/v0.0.1/semi_merged_bom.json
sbs2001 commented
@surendrapathak thanks ! Didn't knew about the tool, great work there. I'll fix the error in next release.
surendrapathak commented
Wow - thanks for a quick update :) Feel free to star sbomqs - we have a lot of work to do get the quality of sbom go up. We are tracking them all here : interlynk-io/sbomqs#39