cyclonedx-cli icon indicating copy to clipboard operation
cyclonedx-cli copied to clipboard
verified publisher icon CycloneDX

SPDX to Cyclonedx: no purl in converted component

Open pstoeckle opened this issue 9 months ago • 2 comments

I want to convert a SPDX SBOM to CycloneDX. The SBOM I want to convert is from the Google Distroless project, and one can get it via

cosign download attestation \
    --platform linux/amd64 \
    gcr.io/distroless/static-debian12:debug-nonroot@sha256:3d0f463de06b7ddff27684ec3bfd0b54a425149d0f8685308b1fdf297b0265e9 \
      | jq -r .payload \
      | base64 -d \
      | jq -r '.' > sbom.spdx.json

When converting the SBOM using ...

cyclonedx-cli convert \
  --input-format spdxjson \
  --input-file sbom.spdx.json \
  --output-format json \
  --output-file sbom.cdx.json

... I get a CycloneDX SBOM, BUT some components do NOT have a purl although there is a purl is in the properties.

Example: This tzdata SBOM component ...

{
            "name": "tzdata",
            "SPDXID": "SPDXRef--at-rules-underscore-distroless~~apt~bookworm-underscore-tzdata-underscore-2025b-0-p-deb12u1-underscore-amd64",
            "versionInfo": "2025b-0+deb12u1",
            "supplier": "Person: GNU Libc Maintainers \\\\[email protected]\\\\u003e",
            "downloadLocation": "https://snapshot.debian.org/archive/debian/20250327T204130Z/pool/main/t/tzdata/tzdata_2025b-0+deb12u1_all.deb",
            "checksums": [
                {
                    "algorithm": "SHA256",
                    "checksumValue": "a17042cb951b80d0c9462a73dec6ad31fc6adeae4ed92209601dc97d1019d7f2"
                }
            ],
            "homepage": "https://www.iana.org/time-zones",
            "copyrightText": "Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/\nSource: https://www.iana.org/time-zones\nUpstream-Contact: The Internet Assigned Numbers Authority (IANA)\n                  Commentary should be addressed to [email protected]\n\nFiles: *\nCopyright: The Internet Assigned Numbers Authority (IANA)\nLicense: public-domain\n This database is in the public domain.\n",
            "summary": "time zone and daylight-saving time data",
            "description": "time zone and daylight-saving time data\nThis package contains data required for the implementation of\nstandard local time for many representative locations around the\nglobe. It is updated periodically to reflect changes made by\npolitical bodies to time zone boundaries, UTC offsets, and\ndaylight-saving rules.",
            "externalRefs": [
                {
                    "referenceCategory": "PACKAGE-MANAGER",
                    "referenceType": "purl",
                    "referenceLocator": "pkg:deb/debian/tzdata@2025b-0+deb12u1?arch=all"
                }
            ]
        },

... gets converted to ...

{
      "type": "library",
      "name": "tzdata",
      "version": "2025b-0\u002Bdeb12u1",
      "description": "time zone and daylight-saving time data\nThis package contains data required for the implementation of\nstandard local time for many representative locations around the\nglobe. It is updated periodically to reflect changes made by\npolitical bodies to time zone boundaries, UTC offsets, and\ndaylight-saving rules.",
      "hashes": [
        {
          "alg": "SHA-256",
          "content": "a17042cb951b80d0c9462a73dec6ad31fc6adeae4ed92209601dc97d1019d7f2"
        }
      ],
      "licenses": [
        {}
      ],
      "copyright": "Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/\nSource: https://www.iana.org/time-zones\nUpstream-Contact: The Internet Assigned Numbers Authority (IANA)\n                  Commentary should be addressed to [email protected]\n\nFiles: *\nCopyright: The Internet Assigned Numbers Authority (IANA)\nLicense: public-domain\n This database is in the public domain.\n",
      "externalReferences": [
        {
          "url": "https://snapshot.debian.org/archive/debian/20250327T204130Z/pool/main/t/tzdata/tzdata_2025b-0\u002Bdeb12u1_all.deb",
          "type": "distribution"
        },
        {
          "url": "https://www.iana.org/time-zones",
          "type": "website"
        }
      ],
      "properties": [
        {
          "name": "spdx:spdxid",
          "value": "SPDXRef--at-rules-underscore-distroless~~apt~bookworm-underscore-tzdata-underscore-2025b-0-p-deb12u1-underscore-amd64"
        },
        {
          "name": "spdx:package:summary",
          "value": "time zone and daylight-saving time data"
        },
        {
          "name": "spdx:external-reference:package-manager:purl",
          "value": "pkg:deb/debian/tzdata@2025b-0\u002Bdeb12u1?arch=all"
        },
        {
          "name": "spdx:download-location",
          "value": "https://snapshot.debian.org/archive/debian/20250327T204130Z/pool/main/t/tzdata/tzdata_2025b-0\u002Bdeb12u1_all.deb"
        },
        {
          "name": "spdx:homepage",
          "value": "https://www.iana.org/time-zones"
        }
      ]
    }

As stated above, the new CDX component does NOT have a purl, but in properties, there is spdx:external-reference:package-manager:purl which – as far as I understand - could be used.

Am I doing something wrong here?

pstoeckle avatar Apr 03 '25 08:04 pstoeckle

I also have this problem. I need the purl and the cpe externRefs converted.

deanmsands3 avatar Jul 17 '25 18:07 deanmsands3

compare also https://github.com/CycloneDX/cyclonedx-cli/issues/354

andreas-hilti avatar Jul 27 '25 08:07 andreas-hilti