bomber published SBOM is incorrectly labeled and has suspicious product name
Closed this issue · 1 comments
surendrapathak commented
While scanning bomber published sbom with sbomqs, the sbom is labeled incorrectly.
The file is named bomber.cyclonedx.json but internal format is SPDX
"spdxVersion": "SPDX-2.3",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": ".",
"documentNamespace": "https://anchore.com/syft/dir/0b73ec93-a9c2-4e45-9744-f477143f9788",
"creationInfo": {
"licenseListVersion": "3.19",
"creators": [
"Organization: Anchore, Inc",
"Tool: syft-0.68.1"
],
"created": "2023-02-24T19:14:03Z"
},
Also, the name is "." which doesn't break the spec but definitely does not help utilize the SBOM effectively.
I am suspecting something got missed in this PR : #89
djschleen commented
Ouch. That's strange. I'll need to check the release yaml for this, and we may be missing some flags for the Syft command.