Always getting no packages detected from spdx files from yocto

[pmkohn]

Hello,

I have a bunch of spdx files from a yocto project, but always no packages were detected is given back. What do i do wrong, or what is wrong with the files. Can anybody help me?

bomber scan --username user --token token recipe-libpng.spdx.json

██▄ ▄▀▄ █▄ ▄█ ██▄ ██▀ █▀▄
█▄█ ▀▄▀ █ ▀ █ █▄█ █▄▄ █▀▄

DKFM - DevOps Kung Fu Mafia
https://github.com/devops-kung-fu/bomber
Version: 0.4.0

■ No packages were detected. Nothing has been scanned.
m@NB-MKOHN:~/do/sbom$

recipe-libpng.spdx.json:
{"SPDXID": "SPDXRef-DOCUMENT", "creationInfo": {"comment": "This document was created by analyzing recipe files during the build.", "created": "2022-12-21T10:03:13Z", "creators": ["Tool: OpenEmbedded Core create-spdx.bbclass", "Organization: OpenEmbedded ()", "Person: N/A ()"], "licenseListVersion": "3.14"}, "dataLicense": "CC0-1.0", "documentNamespace": "http://spdx.org/spdxdoc/recipe-libpng-ac715238-4008-5aba-9058-bfd3da5e2dd6", "externalDocumentRefs": [{"checksum": {"algorithm": "SHA1", "checksumValue": "4de96b8bb49596c459ac4f03dac5125c93f6b541"}, "externalDocumentId": "DocumentRef-dependency-recipe-acl-native", "spdxDocument": "http://spdx.org/spdxdoc/recipe-acl-native-90ada574-0418-501d-ab9a-814f7f8cf160"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "f676cbdf475e857caf409629b50b7d0653b30fcf"}, "externalDocumentId": "DocumentRef-dependency-recipe-attr-native", "spdxDocument": "http://spdx.org/spdxdoc/recipe-attr-native-a4ca441b-3630-5ca7-a9d6-f08d4bc6cd5b"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "0b670e1bfcff9803caeb7eb31dea3703d96b755b"}, "externalDocumentId": "DocumentRef-dependency-recipe-autoconf-archive-native", "spdxDocument": "http://spdx.org/spdxdoc/recipe-autoconf-archive-native-fd00b327-70b9-5c20-8c90-9c0103cbc9f0"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "d55fd18a7db25f71cc66149af52ee1e92f605202"}, "externalDocumentId": "DocumentRef-dependency-recipe-autoconf-native", "spdxDocument": "http://spdx.org/spdxdoc/recipe-autoconf-native-124e4a29-7bee-575a-9a44-2226fa6af9c9"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "d6f3b9f42a11edea7bb9633febe4c6ee035f3283"}, "externalDocumentId": "DocumentRef-dependency-recipe-automake-native", "spdxDocument": "http://spdx.org/spdxdoc/recipe-automake-native-e3046935-37af-5c2e-b371-e883e5ef1216"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "f26abd544270adbf816bf7bef705726259b2bac6"}, "externalDocumentId": "DocumentRef-dependency-recipe-binutils-cross-x86_64", "spdxDocument": "http://spdx.org/spdxdoc/recipe-binutils-cross-x86_64-3a4495e3-75b8-5cb5-9117-beac4de54765"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "843593dcd3bdbe0ce56d1e09cb6756b93521f037"}, "externalDocumentId": "DocumentRef-dependency-recipe-bison-native", "spdxDocument": "http://spdx.org/spdxdoc/recipe-bison-native-d18e081d-4246-5067-9e41-c5ae29c9b9ff"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "bc471eb584259bcf1af767f95e4ad0992db5775e"}, "externalDocumentId": "DocumentRef-dependency-recipe-flex-native", "spdxDocument": "http://spdx.org/spdxdoc/recipe-flex-native-db3e6886-d8ff-51c5-9589-0e997748f089"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "ace319dda8fbcb29881f0b9fe111c87bd1280895"}, "externalDocumentId": "DocumentRef-dependency-recipe-gcc-cross-x86_64", "spdxDocument": "http://spdx.org/spdxdoc/recipe-gcc-cross-x86_64-a54677b2-404d-5f88-948b-b1314035058d"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "5a90f4a5d75d1f243cf19e8e82297ec0e9d6b131"}, "externalDocumentId": "DocumentRef-dependency-recipe-gcc-runtime", "spdxDocument": "http://spdx.org/spdxdoc/recipe-gcc-runtime-a8177036-816d-5f00-a030-969647302050"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "fae92659beebf3c124e7c8057f3bea5543575a93"}, "externalDocumentId": "DocumentRef-dependency-recipe-gettext-minimal-native", "spdxDocument": "http://spdx.org/spdxdoc/recipe-gettext-minimal-native-d0a27f93-c2cb-5d69-ab6b-b5b2d7da1769"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "ef446ae66d9e1e9d2e5a535ab9f70cae3173cf2c"}, "externalDocumentId": "DocumentRef-dependency-recipe-glibc", "spdxDocument": "http://spdx.org/spdxdoc/recipe-glibc-8ec5f1d4-204b-530d-8854-79bbb314d6d7"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "fc770c6a55b022968617175ba26c55bbd3c8266d"}, "externalDocumentId": "DocumentRef-dependency-recipe-gmp-native", "spdxDocument": "http://spdx.org/spdxdoc/recipe-gmp-native-008a73c2-0509-5b24-a32c-a84f417c6f76"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "16f52594f92ec1ca0348adc07b2ca89205b18e50"}, "externalDocumentId": "DocumentRef-dependency-recipe-gnu-config-native", "spdxDocument": "http://spdx.org/spdxdoc/recipe-gnu-config-native-7f998b5b-4a9f-5868-bb80-1279a9b986ff"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "e4f2b1a4e4a1eb9ea7f6ff400fc9c7675fb26e67"}, "externalDocumentId": "DocumentRef-dependency-recipe-gperf-native", "spdxDocument": "http://spdx.org/spdxdoc/recipe-gperf-native-8ff83514-7088-5153-b0e5-1d27897382c3"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "c704316a5774204da6b0e6d4c2bdb7cef6071cb3"}, "externalDocumentId": "DocumentRef-dependency-recipe-libgcc", "spdxDocument": "http://spdx.org/spdxdoc/recipe-libgcc-df9557c5-65f1-57eb-9bd9-76620c52cf82"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "67edcf4c0b4d30c02462f92f191cdd69f521fcfb"}, "externalDocumentId": "DocumentRef-dependency-recipe-libgcc-initial", "spdxDocument": "http://spdx.org/spdxdoc/recipe-libgcc-initial-a4724a6f-7615-5e3e-b3b1-e881263363b2"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "6a091f3d92117cf3ea27c829f3932b6767c54dda"}, "externalDocumentId": "DocumentRef-dependency-recipe-libmpc-native", "spdxDocument": "http://spdx.org/spdxdoc/recipe-libmpc-native-106a5827-b85a-571e-9b61-3567ebe410d9"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "79c649120ccc2a9e8e6f539bb785cf5e892cc73b"}, "externalDocumentId": "DocumentRef-dependency-recipe-libtool-cross", "spdxDocument": "http://spdx.org/spdxdoc/recipe-libtool-cross-07500b21-b619-56d3-838e-16ca401a612f"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "80723319c564031c626c660a4b251ab0ddab8676"}, "externalDocumentId": "DocumentRef-dependency-recipe-libtool-native", "spdxDocument": "http://spdx.org/spdxdoc/recipe-libtool-native-af5e5210-5bed-5317-878d-15206849f191"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "0ae94e959f5286c54f57549035b4a7b4d259380a"}, "externalDocumentId": "DocumentRef-dependency-recipe-linux-libc-headers", "spdxDocument": "http://spdx.org/spdxdoc/recipe-linux-libc-headers-2ed63bda-d297-58f5-be96-fcf57476d8ed"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "61bdedef0055ee5f88799348ac83d5fac2fc516e"}, "externalDocumentId": "DocumentRef-dependency-recipe-m4-native", "spdxDocument": "http://spdx.org/spdxdoc/recipe-m4-native-5679b535-f65a-57b6-8760-ded5f4d5578c"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "31b294c6f15fb9111f28f2ab2401a4ccc434c2b0"}, "externalDocumentId": "DocumentRef-dependency-recipe-make-native", "spdxDocument": "http://spdx.org/spdxdoc/recipe-make-native-df9bc34d-be65-55f4-94e1-8830884fb2fe"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "2dc464b3a10078e16c0c5a655ef9b0295210f85c"}, "externalDocumentId": "DocumentRef-dependency-recipe-mpfr-native", "spdxDocument": "http://spdx.org/spdxdoc/recipe-mpfr-native-63ad704f-f019-5db3-9fd1-ef154f972c7e"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "20f00c573a260c3b3dd69c3af11af9ecc4d98c54"}, "externalDocumentId": "DocumentRef-dependency-recipe-pkgconfig-native", "spdxDocument": "http://spdx.org/spdxdoc/recipe-pkgconfig-native-f02bc6f9-93d3-5de4-bfc1-f49135872105"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "d114b24c79f67c5f6601de04ddc60f1f941db366"}, "externalDocumentId": "DocumentRef-dependency-recipe-popt-native", "spdxDocument": "http://spdx.org/spdxdoc/recipe-popt-native-d6bc9bd3-f84d-5754-9a47-bd7439938a9e"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "5b6dfddec687e4f60681db2b5cfac49c371620cc"}, "externalDocumentId": "DocumentRef-dependency-recipe-rsync-native", "spdxDocument": "http://spdx.org/spdxdoc/recipe-rsync-native-639100c3-b666-5884-a1a8-68c8cec5272b"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "cf8432fb906de590560be907d79730839c6d95b6"}, "externalDocumentId": "DocumentRef-dependency-recipe-systemd-systemctl-native", "spdxDocument": "http://spdx.org/spdxdoc/recipe-systemd-systemctl-native-2f3d50ae-528c-5654-b3e7-3b2e2de42e45"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "952537c3c4437f9e61dcc2cae547400717cccc2d"}, "externalDocumentId": "DocumentRef-dependency-recipe-texinfo-dummy-native", "spdxDocument": "http://spdx.org/spdxdoc/recipe-texinfo-dummy-native-cb9012ff-d8d8-5775-98c1-f58ed5fb9573"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "67ea10f12ccb8e89ce08fb769ceca4ea84d538be"}, "externalDocumentId": "DocumentRef-dependency-recipe-unifdef-native", "spdxDocument": "http://spdx.org/spdxdoc/recipe-unifdef-native-33f1ca41-dd34-528b-adf6-32040e8883b4"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "9f6a12384dede3f86a9727aa3895a459511d4d2a"}, "externalDocumentId": "DocumentRef-dependency-recipe-zlib", "spdxDocument": "http://spdx.org/spdxdoc/recipe-zlib-5b14b6f4-7132-524f-8cee-cdebd6df7ce5"}, {"checksum": {"algorithm": "SHA1", "checksumValue": "46692e8294d4dfddd59da2ad455a389d44bf1630"}, "externalDocumentId": "DocumentRef-dependency-recipe-zlib-native", "spdxDocument": "http://spdx.org/spdxdoc/recipe-zlib-native-1fc15e1f-ff2b-539e-861e-33e08efd56d2"}], "name": "recipe-libpng", "packages": [{"SPDXID": "SPDXRef-Recipe-libpng", "copyrightText": "NOASSERTION", "description": "An open source project to develop and maintain the reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. ", "downloadLocation": "https://downloads.sourceforge.net/libpng/libpng16/libpng-1.6.37.tar.xz", "externalRefs": [{"referenceCategory": "SECURITY", "referenceLocator": "cpe:2.3:a:*:libpng:1.6.37:*:*:*:*:*:*:*", "referenceType": "http://spdx.org/rdf/references/cpe23Type"}], "homepage": "http://www.libpng.org/", "licenseConcluded": "NOASSERTION", "licenseDeclared": "Libpng", "licenseInfoFromFiles": ["NOASSERTION"], "name": "libpng", "packageSupplier": "Organization: OpenEmbedded ()", "summary": "PNG image format decoding library", "versionInfo": "1.6.37"}], "relationships": [{"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "DESCRIBES", "spdxElementId": "SPDXRef-DOCUMENT"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-acl-native:SPDXRef-Recipe-acl-native"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-attr-native:SPDXRef-Recipe-attr-native"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-autoconf-archive-native:SPDXRef-Recipe-autoconf-archive-native"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-autoconf-native:SPDXRef-Recipe-autoconf-native"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-automake-native:SPDXRef-Recipe-automake-native"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-binutils-cross-x86_64:SPDXRef-Recipe-binutils-cross-x86_64"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-bison-native:SPDXRef-Recipe-bison-native"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-flex-native:SPDXRef-Recipe-flex-native"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-gcc-cross-x86_64:SPDXRef-Recipe-gcc-cross-x86_64"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-gcc-runtime:SPDXRef-Recipe-gcc-runtime"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-gettext-minimal-native:SPDXRef-Recipe-gettext-minimal-native"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-glibc:SPDXRef-Recipe-glibc"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-gmp-native:SPDXRef-Recipe-gmp-native"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-gnu-config-native:SPDXRef-Recipe-gnu-config-native"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-gperf-native:SPDXRef-Recipe-gperf-native"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-libgcc:SPDXRef-Recipe-libgcc"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-libgcc-initial:SPDXRef-Recipe-libgcc-initial"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-libmpc-native:SPDXRef-Recipe-libmpc-native"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-libtool-cross:SPDXRef-Recipe-libtool-cross"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-libtool-native:SPDXRef-Recipe-libtool-native"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-linux-libc-headers:SPDXRef-Recipe-linux-libc-headers"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-m4-native:SPDXRef-Recipe-m4-native"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-make-native:SPDXRef-Recipe-make-native"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-mpfr-native:SPDXRef-Recipe-mpfr-native"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-pkgconfig-native:SPDXRef-Recipe-pkgconfig-native"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-popt-native:SPDXRef-Recipe-popt-native"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-rsync-native:SPDXRef-Recipe-rsync-native"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-systemd-systemctl-native:SPDXRef-Recipe-systemd-systemctl-native"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-texinfo-dummy-native:SPDXRef-Recipe-texinfo-dummy-native"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-unifdef-native:SPDXRef-Recipe-unifdef-native"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-zlib:SPDXRef-Recipe-zlib"}, {"relatedSpdxElement": "SPDXRef-Recipe-libpng", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-zlib-native:SPDXRef-Recipe-zlib-native"}], "spdxVersion": "SPDX-2.2"}

[djschleen]

We'll take a look!

[riteshnoronha]

@pmkohn bomber uses PURL's for lookups, this sbom file only contains cpe's. The format of the external-url block, which contains the CPE also does not match spec, e.g referenceType should not be a URL but a string cpe23Type.

There are couple of tools which can be used to judge the quality of an SBOM

• https://github.com/interlynk-io/sbomqs
• https://github.com/eBay/sbom-scorecard

these should help u get a good idea of the quality of data you are dealing with. The higher the score the better sbom consumption tooling would work.

Output of SBOMQS

[djschleen]

@riteshnoronha Thank you for your reply! I love the quality tools that you shared in your reply. They are EXTREMELY helpful and will assist as we develop bomber.