Skip to content

SPDX SBOM does not include pedigree patches #1583

Description

@slimreaper35

Hermeto records patch provenance for patched dependencies in CycloneDX via pedigree patches, but that metadata is not carried over when the SBOM is converted to SPDX format, and the patch information is effectively dropped.

SPDX v2 specification defines a similar way to report patches as the externalRefs object. See spdx-spec/v2.3.

--
https://github.com/hermetoproject/integration-tests/tree/yarn/v4

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingsbomSoftware Bill of Materials related issues

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions