Skip to content

BUG: SPDX IDs from bomctl list not usable #162

New issue
New issue
Closed
#165
Closed
BUG: SPDX IDs from bomctl list not usable#162
#165
Assignees
ashearin
@ashearin

Description

@ashearin
ashearin
opened on Sep 17, 2024

Currently we're using the document "name" as the ID for SPDX documents for bomctl list while for cylonedx we're using the ID (UUID from the cdx sbom)

Example:

bomctl-playground (main) $ bomctl fetch https://raw.githubusercontent.com/bomctl/bomctl-playground/main/examples/bomctl-container-image/bomctl_bomctl_v0.3.0.cdx.json
INFO  fetch: Fetching from HTTP URL url=https://raw.githubusercontent.com/bomctl/bomctl-playground/main/examples/bomctl-container-image/bomctl_bomctl_v0.3.0.cdx.json
INFO  fetch: Fetching from HTTP URL url=https://raw.githubusercontent.com/bomctl/bomctl-playground/main/examples/bomctl-container-image/app/bomctl_0.3.0_linux_amd64.tar.gz.spdx.json

bomctl-playground (main) $ bomctl list

                        ID                        │ Version  │ # Nodes  
──────────────────────────────────────────────────┼──────────┼──────────
 urn:uuid:f360ad8b-dc41-4256-afed-337a04dff5db    │    1     │    6     
 bomctl_0.3.0_linux_amd64.tar.gz                  │    0     │    81

This creates an issue when attempting to use the SPDX SBOM in future commands, as the name is not a valid document in the db:

bomctl-playground (main) $ bomctl export bomctl_0.3.0_linux_amd64.tar.gz -o test.spdx.json
INFO  export: Exporting document sbomID=bomctl_0.3.0_linux_amd64.tar.gz
WARN  db: Document could not be retrieved id=bomctl_0.3.0_linux_amd64.tar.gz err="no documents matching IDs bomctl_0.3.0_linux_amd64.tar.gz"
FATAL export: failed to retrieve document: no documents matching IDs bomctl_0.3.0_linux_amd64.tar.gz

We should be outputting the correct database ID for each document as part of bomctl list.

  • There is a larger discussion to be had on how we standardize the ID used within bomctl for documents, since there is a disparity on how the major formats handle this. CDX provides a uuid whereas SPDX simply uses the filename. Protobom currently tacks on some additional info to the spdx document name to use as the id internally, which is what bomctl list should be showing so thats its a usable string in bomctl operations. A separate issue/ADR will be opened to discuss this solution.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions