bomber published SBOM is incorrectly labeled and has suspicious product name

Question

bomber published SBOM is incorrectly labeled and has suspicious product name

Closed this issue 2 years ago · 1 comments

While scanning bomber published sbom with sbomqs, the sbom is labeled incorrectly.

The file is named bomber.cyclonedx.json but internal format is SPDX

 "spdxVersion": "SPDX-2.3",
 "dataLicense": "CC0-1.0",
 "SPDXID": "SPDXRef-DOCUMENT",
 "name": ".",
 "documentNamespace": "https://anchore.com/syft/dir/0b73ec93-a9c2-4e45-9744-f477143f9788",
 "creationInfo": {
  "licenseListVersion": "3.19",
  "creators": [
   "Organization: Anchore, Inc",
   "Tool: syft-0.68.1"
  ],
  "created": "2023-02-24T19:14:03Z"
 },

Also, the name is "." which doesn't break the spec but definitely does not help utilize the SBOM effectively.

I am suspecting something got missed in this PR : #89

Answer 1 · 2023-02-27T18:38:48.000Z

Ouch. That's strange. I'll need to check the release yaml for this, and we may be missing some flags for the Syft command.