-
-
Notifications
You must be signed in to change notification settings - Fork 116
Description
Currently if ScanCode.io is given multiple inputs (e.g. package URL, archive) the found packages and dependencies will be merged or "flatten"in the resulting CycloneDX and SPDX SBOMs. This may have it use cases but might not always be desired behavior and may lead to conflict if say two dependencies resolve into the same package URL but have different metadata (for instance due to improperly made internal fork).
Filling this issue as starting point for architecture discussion on:
A) how should ScanCode.io's generated SBOM look like when given different type of inputs - believe depending on the type of input SBOM structures changes e..g. documentDecribes
field in SPDX 2.x and component
field in CycloneDX.
Does the root element of the SBOM describe what inside of the provided input or is it the input itself?
Types of inputs to tests (from tests done for #1727)
pkg:npm/mime-types@2.1.26
- package URL specifying package by its registry coordinates.pkg:github/jshttp/mime-types@2.1.26
- package URL specifying code repository locationpkg:github/jshttp/mime-types@2.1.26?packaging=sources
- package URL specifying the sources artifact of a package defined by its registry coordinates.- mime-types-2.1.26.tar.gz - archive of mime type 2.1.26
- docker://osadl/ubuntu-docker-base-image:jammy-aarch64-latest
B) how should ScanCode.io's generated SBOM look like when given multiple of inputs?
For example when given two archive will the SPDX SBOM look something like this
documentDescribes:
- "SPDXRef-archive1"
- "SPDXRef-archive2"
relationships:
- spdxElementId: "SPDXRef-archive1"
relationshipType: "CONTAINS"
relatedSpdxElement: "SPDXRef-Package-abc-found-within-archive1"
- spdxElementId: "SPDXRef-archive2"
relationshipType: "CONTAINS"
relatedSpdxElement: "SPDXRef-Package-xyz-found-within-archive2"
and CycloneDX file like this
"metadata": {
"component": {
"bom-ref": "30657da5-988b-40ad-9c3c-5ac880d9426f",
"name": "Multiple inputs",
"type": "data"
"components": [
{
"bom-ref": "233344552e-ef71-43ea-b3a5-21f507cf05ff",
"name": "camelcase-8.0.0.tgz",
"type": "library"
},
{
"bom-ref": "1854552e-ef71-43ea-b3a5-21f507cf05ff",
"name": "mime-types-2.1.26.tar.gz",
"type": "library",
},
]
]
},
"properties": [
{
"name": "scancode-io:project-name",
"value": "G - mime-types-2.1.26.tar.gz + camelcase-8.0.0.tgz + scan_codebase pipeline"
},
{
"name": "scancode-io:upload-files",
"value": "pkg:npm/mime-types@2.1.26"
},
{
"name": "scancode-io:upload-files",
"value": "pkg:npm/camelcase@8.0.0"
},
],