gh-sbom
gh-sbom copied to clipboard
advanced-security
Generate SBOMs with gh CLI
`-R` is used everywhere else in `gh` to specify a repository other than from the current working directory. It would be nice to align with the rest of the `gh`...
2023/06/19 12:09:25 non-200 OK status code: 502 Bad Gateway body: "{\n \"data\": null,\n \"errors\":[\n {\n \"message\":\"Something went wrong while executing your query. This may be the result of a timeout,...
### Description I'm receiving the following error instead of a successful response when executing the command (on a private repository): `gh sbom -l | jq` ``` 2023/03/16 08:42:24 non-200 OK...
I'm getting this error: > 2023/04/06 12:59:14 Message: timedout, Locations: [{Line:1 Column:155}]
Value : pkg:githubactions/huggingface/doc-builder/.github/workflows/delete_doc_comment.yml@use_hf_hub Expected: PURL spec: scheme:type/namespace/name@version?qualifiers#subpath Reference: https://github.com/package-url/purl-spec#purl SBOM URL: | https://sbomlc.s3.amazonaws.com/gh-sbom-v0.0.9_accelerate-0.18.0.spdx.json?AWSAccessKeyId=AKIA2ZBFUJ4NNQGYD5OF&Signature=OwGArrr6ZDlkpgUCzBaKEpDa%2Fl8%3D&Expires=1713580541 QS URL: | https://sbombenchmark.dev/score/gh-sbom-v0.0.9_huggingface-hub-0.13.4.spdx.json
Value: SPDXRef-actions-actions/checkout-3 Expected: SPDXID only supports string containing letters, numbers, “.”,“–”. Reference: https://spdx.github.io/spdx-spec/v2.3/package-information/#72-package-spdx-identifier-field SBOM URL: | https://sbomlc.s3.amazonaws.com/gh-sbom-v0.0.9_accelerate-0.18.0.spdx.json?AWSAccessKeyId=AKIA2ZBFUJ4NNQGYD5OF&Signature=OwGArrr6ZDlkpgUCzBaKEpDa%2Fl8%3D&Expires=1713580541 QS URL: | https://sbombenchmark.dev/score/gh-sbom-v0.0.9_huggingface-hub-0.13.4.spdx.json
Value: "versionInfo":"main" Expected: versionInfo main is not a valid version for : actions:huggingface/doc-builder/.github/workflows/build_pr_documentation.yml SBOM URL: | https://sbomlc.s3.amazonaws.com/gh-sbom-v0.0.9_accelerate-0.18.0.spdx.json?AWSAccessKeyId=AKIA2ZBFUJ4NNQGYD5OF&Signature=OwGArrr6ZDlkpgUCzBaKEpDa%2Fl8%3D&Expires=1713580541 QS URL: | https://sbombenchmark.dev/score/gh-sbom-v0.0.9_huggingface-hub-0.13.4.spdx.json
Invalid purl type: githubactions Value: pkg:githubactions/actions/checkout@2 Expected: githuactions is not included as a valid type in PURL spec Reference: https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst SBOM URL: | https://sbomlc.s3.amazonaws.com/gh-sbom-v0.0.9_accelerate-0.18.0.spdx.json?AWSAccessKeyId=AKIA2ZBFUJ4NNQGYD5OF&Signature=OwGArrr6ZDlkpgUCzBaKEpDa%2Fl8%3D&Expires=1713580541 QS URL: | https://sbombenchmark.dev/score/gh-sbom-v0.0.9_huggingface-hub-0.13.4.spdx.json
versionInfo value is incorrect Value: versionInfo: \u003e= 1.17 for pip-numpy Expected: 1.17 is a valid version for pip-numpy Reference: https://github.com/spdx/spdx-spec/blob/development/v2.3.1/schemas/spdx-schema.json#L438 SBOM URL: | https://sbomlc.s3.amazonaws.com/gh-sbom-v0.0.9_accelerate-0.18.0.spdx.json?AWSAccessKeyId=AKIA2ZBFUJ4NNQGYD5OF&Signature=OwGArrr6ZDlkpgUCzBaKEpDa%2Fl8%3D&Expires=1713580541 QS URL: | https://sbombenchmark.dev/score/gh-sbom-v0.0.9_huggingface-hub-0.13.4.spdx.json
The documentDescribes is deprecated in SPDX2.3.1 and replaced by relationship Describes. Value: ""documentDescribes"":[ ""com.github.huggingface/accelerate"" ]," Reference: https://github.com/spdx/spdx-spec/blob/development/v2.3.1/schemas/spdx-schema.json#L220 SBOM URL: | https://sbomlc.s3.amazonaws.com/gh-sbom-v0.0.9_accelerate-0.18.0.spdx.json?AWSAccessKeyId=AKIA2ZBFUJ4NNQGYD5OF&Signature=OwGArrr6ZDlkpgUCzBaKEpDa%2Fl8%3D&Expires=1713580541 QS URL: | https://sbombenchmark.dev/score/gh-sbom-v0.0.9_huggingface-hub-0.13.4.spdx.json