Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure SPDXIDs are valid #955

Merged
merged 3 commits into from
Apr 14, 2022
Merged

Ensure SPDXIDs are valid #955

merged 3 commits into from
Apr 14, 2022

Conversation

kzantow
Copy link
Contributor

@kzantow kzantow commented Apr 13, 2022
edited
Loading

SPDXIDs were being generated with in valid characters. According to the spec, these must be the format:

"SPDXRef-"[idstring] where [idstring] is a unique string containing letters, numbers, ., and/or -

However, other characters were being included like underscores and forward slashes, this replaces them all with a dash. This should be safe to do without conflicts because our package IDs include the unique hash at the end.

This fixes: #949 and #952

@kzantow
Ensure SPDXIDs are valid
97bc0f4 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
Add test for SanitizeElementID
caa4fef 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow
Add a snapshot test for tag value SPDXIDs
ae25724 
Signed-off-by: Keith Zantow <kzantow@gmail.com>
@kzantow kzantow requested a review from a team April 13, 2022 16:39
@kzantow kzantow linked an issue Apr 13, 2022 that may be closed by this pull request
Invalid SPDXID (contains a slash) #952
Closed
@spiffcs
Copy link
Contributor

spiffcs commented Apr 14, 2022

Nice! Thanks for following up on two of these issues. Great change.

@kzantow kzantow merged commit b7295b7 into anchore:main Apr 14, 2022
@kzantow kzantow deleted the correct-spdx-ids branch April 14, 2022 19:07
spiffcs added a commit that referenced this pull request May 2, 2022
@spiffcs
Merge branch 'main' into 835-keyless-attestation-upgrade
cb25858 
* main: (31 commits)
  reduce noise of log output (#976)
  add version info and remove double config call (#977)
  Rename syft-id to package-id (#970)
  update to cyclonedx-go 0.5.2 (#971)
  refactor command package to remove globals and add dependency injection
  fix: #953 Derive language from pURL - https://github.com/anchore/syft… (#957)
  Fix typo in CPE-parsing error (#966)
  Preserve syft IDs on SBOM decode (#963)
  Update GitHub format package_url and correlator (#961)
  Ensure SPDXIDs are valid (#955)
  Auto-PR needs to run go mod tidy (#958)
  Add workflow for automatic PR for new stereoscope updates (#954)
  Minor readme update to correct format information (#948)
  Update spdx22json to only take uppercase checksum algorithm (#946)
  add additional vendors for springframework (#945)
  Add digest property to parent and nested java package metadata (#941)
  Update write permissions and log into ghcr.io for release (#942)
  Retry auth URL lookup without docker credentialhelper workaround (#939)
  Ensure that all cyclonedx components have bom-refs (#914)
  Additionally publish docker images to GHCR (#934)
  ...

Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
rigzba21 pushed a commit to rigzba21/syft that referenced this pull request May 5, 2022
@kzantow @rigzba21
Ensure SPDXIDs are valid (anchore#955)
cb90e9f 
Signed-off-by: rigzba21 <jonathan.velando01@gmail.com>
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@kzantow
Ensure SPDXIDs are valid (anchore#955)
0e77333
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spiffcs spiffcs spiffcs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Invalid SPDXID (contains a slash) Invalid SPDXID (contains an underscore)
2 participants
@kzantow @spiffcs