-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SPDX questions/bugs #22
Comments
photon.json.txt - test JSON file for reference (renamed to .txt to make GitHub happy) photon.spdxtv.txt - tag value version of same container |
As a party interested in stamping the bugs out of this tool (but not the maintainer--credit to @justinabrahms), I investigated one small aspect of @rnjudge's questions and bug reports. (I'll investigate more later.) On this part:
I examined the photon.json.txt SBOM and saw that one "package" does seem to be missing version information. See the JSON snippet below. But this "package" is different than the other ones, since it appears to be a container layer (IIUC) and not a open source software package. I think this accounts for why the tools reports 97 percent of packages have versions. Given this, what ought the tool to do? "packages": [
{
"name": "photon",
"SPDXID": "SPDXRef-photon-3.0",
"versionInfo": "3.0",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION"
},
{
"name": "ad1f1c6f4fef6e6208ebc53e701bf9937f4e05dce5f601b20c35d8a0ad7fdeff",
"SPDXID": "SPDXRef-c8a2baeeb2",
# NO VERSION INFO HERE
"packageFileName": "ad1f1c6f4fef6e6208ebc53e701bf9937f4e05dce5f601b20c35d8a0ad7fdeff",
"downloadLocation": "NONE",
"filesAnalyzed": false,
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "c8a2baeeb2639816d78c44738c72246632d712195c634ce53e80fb5cbc0a50c8"
}
],
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"copyrightText": "NOASSERTION",
"comment": "Layer 1:\n\tinfo: Layer created by commands: /bin/sh -c #(nop) ADD file:03f8ed1169e4d338a7b5f3f94b3e25379a063f3718bb062533efa2ce61a21d35 in / \n\tinfo: Found 'VMware Photon OS/Linux' in /etc/os-release.\n\tinfo: Retrieved package metadata using tdnf default method. \n\n"
},
{
... |
Thanks for this issue! To answer your questions:
I'll probably split your other things into bug tickets and reference them back here. |
Thank you! As @jspeed-meyers pointed out, I think the the package version percentage calculation is correct, just the final score (0/20) is off :) Also, my 2 cents for concluded vs declared: the declared field should be used for tools that are detecting licenses in software. the concluded field is intended more for human review/confirmation of what tools have found. |
Alright. I believe that all of these, except #25 are addressed. Please open additional bugs if you find any and sorry for the delay in getting to these. |
Hello! In playing with this tool a bit for Tern reports I have a couple questions and small bugs:
Questions:
Does this tool ingest SPDX Tag value format or only JSON? I generated the same SBOM in both formats and only JSON format seemed to register anything in the scorecard tool.
Does the tool use
LicenseConcluded
orLicenseDeclared
in its license calculation score? In my experimentation it appears to be using only Concluded (I would argue the tool should be calculating "declared" vs "concluded")Does this tool count
LicenseRefs
as licenses in the license score or only SPDX License Identifiers?If there are no files present in the SPDX document, should the "file digest" score still be 0 (vs some sort of NA score)?
Bugs:
photon:3.0
container image SBOM (SPDX json format), there are 38 packages. 25 packages have aLicenseRef
value as the license concluded, 11 have an actual SPDX License identifier value and 2 areNOASSERTION
yet scorecard says the report has 0% licenses found:The text was updated successfully, but these errors were encountered: