SPDX SBOM not compliant to SPDX Scheme 2.2

[MP91]

What happened:

We generated some SBOMs for our project. We need them as input for another tool in the SPDX format.

The tool reports an error because the generated document uses PACKAGE-MANAGER as reference category.

What you expected to happen:
PACKAGE_MANAGER is used
Steps to reproduce the issue:

Generate a SPDX SBOM of Ubuntu

Anything else we need to know?:

            "referenceCategory" : {
              "description" : "Category for the external reference",
              "type" : "string",
              "enum" : [ "OTHER", "SECURITY", "PACKAGE_MANAGER" ]

Environment:

• Output of syft version: syft-0.72.0
• OS (e.g: cat /etc/os-release or similar): Ubuntu 22

[kzantow]

PACKAGE_MANAGER and PACKAGE-MANAGER should both be valid. See the latest schema: https://github.com/spdx/spdx-spec/blob/development/v2.3.1/schemas/spdx-schema.json#L322-L326

[MP91]

@kzantow yes already saw this, but the notes say that the document is compliant to version 2.2 and this is also the version what our tool expects.

Edit I changed the title to better reflect this.

[kzantow]

I've added an issue to the tools-golang library that we use, where I think this should be handled. It should be noted that the JSON schema is incorrect and not according to the spec. To deal with this, the advice to SPDX implementors is to accept both values.

[kzantow]

I've also added a PR to correct the SPDX 2.2 JSON schema. I do not believe Syft should be generating JSON with values that contradict the spec, even if the JSON schema is different. Are there specific tools that are failing and could they be corrected to accept what should be the correct values?

[kzantow]

Also, this is in direct conflict with the issue raised for which I think this change was made: #1236

[MP91]

Hey @kzantow, thanks already for working on that one. Specifically we are using our own fork of the ORT (https://github.com/oss-review-toolkit/ort) to scan our code. They are still setting on SPDX 2.2, but I already raised an issue to update the version to 2.3.1. So far nothing happened...

[kzantow]

FYI -- the latest v2.2 JSON schema should be updated to include PACKAGE-MANAGER -- my PR was merged: spdx/spdx-spec#836 hopefully tools are able to at least get this update and handle both values appropriately

[kzantow]

Also FYI you can export an SPDX 2.2 version (which still includes PACKAGE-MANAGER) by appending @2.2 to the format, e.g.: -o spdx-json@2.2

[tgerla]

Hi @MP91, I'm going to close this issue because I believe you have what you need...but if I am wrong, please let us know! Thanks.

[ShivamDalmia-eaton]

syft -o spdx@2.2 > sbom2.spdx and syft -o spdx-tag-value@2.2 > sbom2.spdx they both are still giving me spdx version 2.3 is there any way I can get 2.2 version?

[tgerla]

Hi @ShivamDalmia-eaton, thanks for the report, I have reproduced this and will take a look with the team as soon as we can. (If it's useful, it appears as though -o spdx-json@2.2 correctly creates a JSON file of version 2.2.)

[ShivamDalmia-eaton]

Thanks @tgerla for the speedy reply my requirement is for a spdx file with 2.2 version if it's there any way to achieve that please do let me know..Thank you

[kzantow]

Hi @ShivamDalmia-eaton; I had a look at why the SPDX Tag-Value version selection was not working and it was a pretty simple fix; I created a PR here: #2665

[ShivamDalmia-eaton]

Thanks @kzantow I'll look into it and inform you if it's working or not

[ShivamDalmia-eaton]

Hi @kzantow "syft -o spdx-tag-value@2.2 > sbom2.spdx" and "syft image.tar -o spdx@2.2 > sbom2.spdx" is still giving a 2.3 version is the command right?

[kzantow]

@ShivamDalmia-eaton yes, the PR noted above needs to get merged and released to fix it.

[ShivamDalmia-eaton]

@kzantow thanks for the response if you can do let me know when the PR is reviewed and merged and the Tag-value version is fixed. Thanks

[kzantow]

@ShivamDalmia-eaton this should be fixed in Syft v0.105.1:

% syft version
Application: syft
Version:    0.105.1
BuildDate:  2024-02-26T15:57:06Z
GitCommit:  Homebrew
GitDescription: [not provided]
Platform:   darwin/amd64
GoVersion:  go1.22.0
Compiler:   gc

% syft alpine:latest -o spdx@2.2
SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: alpine
DocumentNamespace: https://anchore.com/syft/image/alpine-dc3d6acf-09d7-4414-b196-b1df531db658
...

... and sorry for the spam on this closed issue to any watchers!