Skip to content

SPDX to Cyclonedx: no purl in converted component #424

@pstoeckle

Description

@pstoeckle

I want to convert a SPDX SBOM to CycloneDX. The SBOM I want to convert is from the Google Distroless project, and one can get it via

cosign download attestation \
    --platform linux/amd64 \
    gcr.io/distroless/static-debian12:debug-nonroot@sha256:3d0f463de06b7ddff27684ec3bfd0b54a425149d0f8685308b1fdf297b0265e9 \
      | jq -r .payload \
      | base64 -d \
      | jq -r '.' > sbom.spdx.json

When converting the SBOM using ...

cyclonedx-cli convert \
  --input-format spdxjson \
  --input-file sbom.spdx.json \
  --output-format json \
  --output-file sbom.cdx.json

... I get a CycloneDX SBOM, BUT some components do NOT have a purl although there is a purl is in the properties.

Example:
This tzdata SBOM component ...

{
            "name": "tzdata",
            "SPDXID": "SPDXRef--at-rules-underscore-distroless~~apt~bookworm-underscore-tzdata-underscore-2025b-0-p-deb12u1-underscore-amd64",
            "versionInfo": "2025b-0+deb12u1",
            "supplier": "Person: GNU Libc Maintainers \\\\u003cdebian-glibc@lists.debian.org\\\\u003e",
            "downloadLocation": "https://snapshot.debian.org/archive/debian/20250327T204130Z/pool/main/t/tzdata/tzdata_2025b-0+deb12u1_all.deb",
            "checksums": [
                {
                    "algorithm": "SHA256",
                    "checksumValue": "a17042cb951b80d0c9462a73dec6ad31fc6adeae4ed92209601dc97d1019d7f2"
                }
            ],
            "homepage": "https://www.iana.org/time-zones",
            "copyrightText": "Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/\nSource: https://www.iana.org/time-zones\nUpstream-Contact: The Internet Assigned Numbers Authority (IANA)\n                  Commentary should be addressed to tz@iana.org\n\nFiles: *\nCopyright: The Internet Assigned Numbers Authority (IANA)\nLicense: public-domain\n This database is in the public domain.\n",
            "summary": "time zone and daylight-saving time data",
            "description": "time zone and daylight-saving time data\nThis package contains data required for the implementation of\nstandard local time for many representative locations around the\nglobe. It is updated periodically to reflect changes made by\npolitical bodies to time zone boundaries, UTC offsets, and\ndaylight-saving rules.",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceType": "purl",
                    "referenceLocator": "pkg:deb/debian/tzdata@2025b-0+deb12u1?arch=all"
                }
            ]
        },

... gets converted to ...

{
      "type": "library",
      "name": "tzdata",
      "version": "2025b-0\u002Bdeb12u1",
      "description": "time zone and daylight-saving time data\nThis package contains data required for the implementation of\nstandard local time for many representative locations around the\nglobe. It is updated periodically to reflect changes made by\npolitical bodies to time zone boundaries, UTC offsets, and\ndaylight-saving rules.",
      "hashes": [
        {
          "alg": "SHA-256",
          "content": "a17042cb951b80d0c9462a73dec6ad31fc6adeae4ed92209601dc97d1019d7f2"
        }
      ],
      "licenses": [
        {}
      ],
      "copyright": "Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/\nSource: https://www.iana.org/time-zones\nUpstream-Contact: The Internet Assigned Numbers Authority (IANA)\n                  Commentary should be addressed to tz@iana.org\n\nFiles: *\nCopyright: The Internet Assigned Numbers Authority (IANA)\nLicense: public-domain\n This database is in the public domain.\n",
      "externalReferences": [
        {
          "url": "https://snapshot.debian.org/archive/debian/20250327T204130Z/pool/main/t/tzdata/tzdata_2025b-0\u002Bdeb12u1_all.deb",
          "type": "distribution"
        },
        {
          "url": "https://www.iana.org/time-zones",
          "type": "website"
        }
      ],
      "properties": [
        {
          "name": "spdx:spdxid",
          "value": "SPDXRef--at-rules-underscore-distroless~~apt~bookworm-underscore-tzdata-underscore-2025b-0-p-deb12u1-underscore-amd64"
        },
        {
          "name": "spdx:package:summary",
          "value": "time zone and daylight-saving time data"
        },
        {
          "name": "spdx:external-reference:package-manager:purl",
          "value": "pkg:deb/debian/tzdata@2025b-0\u002Bdeb12u1?arch=all"
        },
        {
          "name": "spdx:download-location",
          "value": "https://snapshot.debian.org/archive/debian/20250327T204130Z/pool/main/t/tzdata/tzdata_2025b-0\u002Bdeb12u1_all.deb"
        },
        {
          "name": "spdx:homepage",
          "value": "https://www.iana.org/time-zones"
        }
      ]
    }

As stated above, the new CDX component does NOT have a purl, but in properties, there is spdx:external-reference:package-manager:purl which – as far as I understand - could be used.

Am I doing something wrong here?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions