-
-
Notifications
You must be signed in to change notification settings - Fork 69
Open
Description
I want to convert a SPDX SBOM to CycloneDX. The SBOM I want to convert is from the Google Distroless project, and one can get it via
cosign download attestation \
--platform linux/amd64 \
gcr.io/distroless/static-debian12:debug-nonroot@sha256:3d0f463de06b7ddff27684ec3bfd0b54a425149d0f8685308b1fdf297b0265e9 \
| jq -r .payload \
| base64 -d \
| jq -r '.' > sbom.spdx.json
When converting the SBOM using ...
cyclonedx-cli convert \
--input-format spdxjson \
--input-file sbom.spdx.json \
--output-format json \
--output-file sbom.cdx.json
... I get a CycloneDX SBOM, BUT some components do NOT have a purl
although there is a purl
is in the properties
.
Example:
This tzdata
SBOM component ...
{
"name": "tzdata",
"SPDXID": "SPDXRef--at-rules-underscore-distroless~~apt~bookworm-underscore-tzdata-underscore-2025b-0-p-deb12u1-underscore-amd64",
"versionInfo": "2025b-0+deb12u1",
"supplier": "Person: GNU Libc Maintainers \\\\u003cdebian-glibc@lists.debian.org\\\\u003e",
"downloadLocation": "https://snapshot.debian.org/archive/debian/20250327T204130Z/pool/main/t/tzdata/tzdata_2025b-0+deb12u1_all.deb",
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "a17042cb951b80d0c9462a73dec6ad31fc6adeae4ed92209601dc97d1019d7f2"
}
],
"homepage": "https://www.iana.org/time-zones",
"copyrightText": "Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/\nSource: https://www.iana.org/time-zones\nUpstream-Contact: The Internet Assigned Numbers Authority (IANA)\n Commentary should be addressed to tz@iana.org\n\nFiles: *\nCopyright: The Internet Assigned Numbers Authority (IANA)\nLicense: public-domain\n This database is in the public domain.\n",
"summary": "time zone and daylight-saving time data",
"description": "time zone and daylight-saving time data\nThis package contains data required for the implementation of\nstandard local time for many representative locations around the\nglobe. It is updated periodically to reflect changes made by\npolitical bodies to time zone boundaries, UTC offsets, and\ndaylight-saving rules.",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:deb/debian/tzdata@2025b-0+deb12u1?arch=all"
}
]
},
... gets converted to ...
{
"type": "library",
"name": "tzdata",
"version": "2025b-0\u002Bdeb12u1",
"description": "time zone and daylight-saving time data\nThis package contains data required for the implementation of\nstandard local time for many representative locations around the\nglobe. It is updated periodically to reflect changes made by\npolitical bodies to time zone boundaries, UTC offsets, and\ndaylight-saving rules.",
"hashes": [
{
"alg": "SHA-256",
"content": "a17042cb951b80d0c9462a73dec6ad31fc6adeae4ed92209601dc97d1019d7f2"
}
],
"licenses": [
{}
],
"copyright": "Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/\nSource: https://www.iana.org/time-zones\nUpstream-Contact: The Internet Assigned Numbers Authority (IANA)\n Commentary should be addressed to tz@iana.org\n\nFiles: *\nCopyright: The Internet Assigned Numbers Authority (IANA)\nLicense: public-domain\n This database is in the public domain.\n",
"externalReferences": [
{
"url": "https://snapshot.debian.org/archive/debian/20250327T204130Z/pool/main/t/tzdata/tzdata_2025b-0\u002Bdeb12u1_all.deb",
"type": "distribution"
},
{
"url": "https://www.iana.org/time-zones",
"type": "website"
}
],
"properties": [
{
"name": "spdx:spdxid",
"value": "SPDXRef--at-rules-underscore-distroless~~apt~bookworm-underscore-tzdata-underscore-2025b-0-p-deb12u1-underscore-amd64"
},
{
"name": "spdx:package:summary",
"value": "time zone and daylight-saving time data"
},
{
"name": "spdx:external-reference:package-manager:purl",
"value": "pkg:deb/debian/tzdata@2025b-0\u002Bdeb12u1?arch=all"
},
{
"name": "spdx:download-location",
"value": "https://snapshot.debian.org/archive/debian/20250327T204130Z/pool/main/t/tzdata/tzdata_2025b-0\u002Bdeb12u1_all.deb"
},
{
"name": "spdx:homepage",
"value": "https://www.iana.org/time-zones"
}
]
}
As stated above, the new CDX component does NOT have a purl
, but in properties
, there is spdx:external-reference:package-manager:purl
which – as far as I understand - could be used.
Am I doing something wrong here?
Metadata
Metadata
Assignees
Labels
No labels