Skip to content

Multiple inputs should be reflected in generated SBOMs #1878

@tsteenbe

Description

@tsteenbe

Currently if ScanCode.io is given multiple inputs (e.g. package URL, archive) the found packages and dependencies will be merged or "flatten"in the resulting CycloneDX and SPDX SBOMs. This may have it use cases but might not always be desired behavior and may lead to conflict if say two dependencies resolve into the same package URL but have different metadata (for instance due to improperly made internal fork).

Filling this issue as starting point for architecture discussion on:
A) how should ScanCode.io's generated SBOM look like when given different type of inputs - believe depending on the type of input SBOM structures changes e..g. documentDecribes field in SPDX 2.x and component field in CycloneDX.

Does the root element of the SBOM describe what inside of the provided input or is it the input itself?

Types of inputs to tests (from tests done for #1727)

  • pkg:npm/mime-types@2.1.26 - package URL specifying package by its registry coordinates.
  • pkg:github/jshttp/mime-types@2.1.26 - package URL specifying code repository location
  • pkg:github/jshttp/mime-types@2.1.26?packaging=sources - package URL specifying the sources artifact of a package defined by its registry coordinates.
  • mime-types-2.1.26.tar.gz - archive of mime type 2.1.26
  • docker://osadl/ubuntu-docker-base-image:jammy-aarch64-latest

B) how should ScanCode.io's generated SBOM look like when given multiple of inputs?

For example when given two archive will the SPDX SBOM look something like this

documentDescribes:
- "SPDXRef-archive1"
- "SPDXRef-archive2"
relationships:
- spdxElementId: "SPDXRef-archive1"
  relationshipType: "CONTAINS"
  relatedSpdxElement: "SPDXRef-Package-abc-found-within-archive1"
- spdxElementId: "SPDXRef-archive2"
  relationshipType: "CONTAINS"
  relatedSpdxElement: "SPDXRef-Package-xyz-found-within-archive2"

and CycloneDX file like this

  "metadata": {
    "component": {
        "bom-ref": "30657da5-988b-40ad-9c3c-5ac880d9426f",
        "name": "Multiple inputs",
        "type": "data"
        "components": [
          {
            "bom-ref": "233344552e-ef71-43ea-b3a5-21f507cf05ff",
            "name": "camelcase-8.0.0.tgz",
            "type": "library"
          },
          {
            "bom-ref": "1854552e-ef71-43ea-b3a5-21f507cf05ff",
            "name": "mime-types-2.1.26.tar.gz",
            "type": "library",
          },
        ]
      ]
    },
    "properties": [
      {
        "name": "scancode-io:project-name",
        "value": "G - mime-types-2.1.26.tar.gz + camelcase-8.0.0.tgz + scan_codebase pipeline"
      },
      {
        "name": "scancode-io:upload-files",
        "value": "pkg:npm/mime-types@2.1.26"
      },
      {
        "name": "scancode-io:upload-files",
        "value": "pkg:npm/camelcase@8.0.0"
      },
    ],

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions