Bug: Creator tool and version could be present in services in the tools section for CDX

[riteshnoronha]

Its possible the creator and tool version could be present in the tools->services section for sboms created via api services.

sbom_with_creator_and_version rule should be modified to handle this. This is an CDX only thing.

[viveksahu26]

Hey @riteshnoronha , few question related to above issue, as I don't have clear understanding of it:

• Firstly, are you talking about tools present under cdxDoc struct ?
• Second thing, which rule(sbom_with_creator_and_version) are you talking about ? I am aware of rules or checks that were used for compliance report such as CRA. Or this is something different which I am unaware of ?

[riteshnoronha]

We have found that sboms generated via api's in CDX 1.5 and above set the tool used to generate it in the metadata->Tools->Services section. In our current logic we only check Metadata->Tools->Tools and Metatdata->Tools->Components. Yes it impacts sbom_with_creator_and_version rule, so if we parse it correctly and save it in cdxDoc it should just work.