CycloneDX XML SBOM incorrectly checks for bomFormat
Closed this issue · 0 comments
surendrapathak commented
Scoring for the two SBOMs at
- https://sbomlc.s3.amazonaws.com/syft-0.73.0_busybox-1-glibc.cdx.xml?AWSAccessKeyId=AKIA2ZBFUJ4NNQGYD5OF&Signature=u7AiVh34yhTcPM59TJkvr9WAClc%3D&Expires=1709195074
- https://sbomlc.s3.amazonaws.com/syft-0.73.0_busybox-1-glibc.cdx.json?AWSAccessKeyId=AKIA2ZBFUJ4NNQGYD5OF&Signature=QbISBlxFIfeq0XKSnw4p7pQwLXA%3D&Expires=1709195074
even though both are prepared for the same image/tag with the same tool (syft-0.73.00). The root cause is bomFormat and version fields which are required in JSON and omitted from XML : https://cyclonedx.org/docs/1.4/xml/#element_bom
Expected Result:
Both sboms should produce identical scores.