Closed
Description
I've created a CycloneDX SBOM JSON file using syft in the file system detection mode.
I then passed it to osv-scanner 1.0.1 and got the following error message:
# osv-scanner --sbom sbom.cyclonedx.json
Scanned CycloneDX SBOM
scan failed server response error: {"code":3,"message":"Invalid Package URL."}
Can you please make this error more detailed so it's clearer which Package URL is invalid?
(I think I know what the reason is; syft created 59 sections looking like this:
"externalReferences": [
{
"url": "",
"hashes": [
{
"alg": "SHA-1",
"content": "SOMESHA1"
}
],
"type": "build-meta"
}
],
and one like this:
"bom-ref": "77d4884a4c0c2f96",
"type": "library",
"name": "",
"cpe": "cpe:2.3:a:python-:python-:*:*:*:*:*:*:*:*",
"purl": "pkg:pypi/",
"properties": [
...
when I deleted these, osv-scanner didn't report this error any longer.)
(I'll file a bug report for syft next.)