Support SPDX 3 component properties #1970

wagoodman · 2023-07-27T20:40:58Z

Today CycloneDX allows for arbitrary properties on package components, which we've leveraged in order to map non-compliant fields into the CycloneDX SBOM without going against the CycloneDX spec (see here).

SPDX 3.0 will soon implement a similar feature to this. I'm opening this issue as a place holder for when syft support SPDX 3.0 to consider implementing a similar capability so we can express pkg.Package.Metadata as arbitrary properties. (see a related issue anchore/grype#1245 that could have been solved with these SPDX 3 features, but is not possible in SPDX 2)

The text was updated successfully, but these errors were encountered:

bathina2 · 2023-08-24T20:00:33Z

buildkit-syft-scanner only supports SPDX. So the ability to capture metadata as well and store it directly in a container image would be sweet!
https://github.com/docker/buildkit-syft-scanner

wagoodman added enhancement New feature or request format:spdx SPDX related enhancement or bug labels Jul 27, 2023

wagoodman mentioned this issue Jul 27, 2023

Grype input with SPDX SBOM - report on wrong CVEs anchore/grype#1245

Closed

wagoodman added this to the SPDX 3 milestone Mar 26, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support SPDX 3 component properties #1970

Support SPDX 3 component properties #1970

wagoodman commented Jul 27, 2023

bathina2 commented Aug 24, 2023

Support SPDX 3 component properties #1970

Support SPDX 3 component properties #1970

Comments

wagoodman commented Jul 27, 2023

bathina2 commented Aug 24, 2023