SBOM dependency semantics in SPDX and CycloneDx
SBOM dependency semantics in SPDX and CycloneDx
While the schematics of an SPDX and a CycloneDX SBOM are defined by the standardization, the dependencies can look very different in the generated SBOM. The results depend on the phase of the software development lifecycle and how the generator that produces the SBOM supports all the functionalities.
The following is an example of generated SBOMs by different tools in the different phases of the software development lifecycle. Unfortunately, the investigated tools have no intersection of one found dependency over all tools and phases of the software development lifecycle. For this reason, different dependencies are chosen as examples. As a base example, Apache Commons-Compress was used in the SBOMs generated for Jenkins. This was not detected by Scancode, Tern, and Microsoft-Container Scan. For them, related examples were selected.
CdxGen
While the results for the detected dependencies in the Container and Release scans are exactly the same, there are lots of differences between them and the results based on the Source scan. This might be due to the fact that the sources provide a reference to the Maven repository where the SBOM can be enriched with additional information. The generator was not able to do that for the analyzed container and release. In the Sources, the license information and the hashes, together with the description, are the main advantages over the container and release scans. CdxGen does not support SPDX output. For this reason, the SBOMs were converted based on the CycloneDX SBOM, which produced identical results. The converted sources' dependency states that as an information source for the dependency, the installed Java archive was used, but this seems unlikely regarding the original CycloneDX results.
CdxGen examples | Click to expand
SPDX
Container *
{
"name": "commons-compress",
"SPDXID": "SPDXRef-Package-java-archive-commons-compress-a96a520872d46711",
"sourceInfo": "acquired package info from installed java archive: ",
"versionInfo": "1.23.0",
"externalRefs": [ {
"referenceType": "purl",
"referenceLocator": "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"referenceCategory": "PACKAGE-MANAGER"
} ],
"copyrightText": "NOASSERTION",
"licenseDeclared": "NONE",
"downloadLocation": "NOASSERTION",
"licenseConcluded": "NONE"
}Release *
{
"name": "commons-compress",
"SPDXID": "SPDXRef-Package-java-archive-commons-compress-a96a520872d46711",
"sourceInfo": "acquired package info from installed java archive: ",
"versionInfo": "1.23.0",
"externalRefs": [ {
"referenceType": "purl",
"referenceLocator": "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"referenceCategory": "PACKAGE-MANAGER"
} ],
"copyrightText": "NOASSERTION",
"licenseDeclared": "NONE",
"downloadLocation": "NOASSERTION",
"licenseConcluded": "NONE"
}Source *
{
"name": "commons-compress",
"SPDXID": "SPDXRef-Package-java-archive-commons-compress-8e53f31ba378552b",
"sourceInfo": "acquired package info from installed java archive: ",
"versionInfo": "1.23.0",
"externalRefs": [ {
"referenceType": "purl",
"referenceLocator": "pkg:maven/org.apache.commons/commons-compress@1.23.0?type=jar",
"referenceCategory": "PACKAGE-MANAGER"
} ],
"copyrightText": "NOASSERTION",
"licenseDeclared": "Apache-2.0",
"downloadLocation": "NOASSERTION",
"licenseConcluded": "Apache-2.0"
}CycloneDx
Container
{
"name" : "commons-compress",
"purl" : "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"type" : "library",
"group" : "org.apache.commons",
"author" : "",
"bom-ref" : "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"version" : "1.23.0",
"licenses" : [ ],
"publisher" : "",
"properties" : [ {
"name" : "SrcFile",
"value" : "commons-compress-1.23.0.jar"
} ],
"description" : ""
}Release
{
"name" : "commons-compress",
"purl" : "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"type" : "library",
"group" : "org.apache.commons",
"author" : "",
"bom-ref" : "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"version" : "1.23.0",
"licenses" : [ ],
"publisher" : "",
"properties" : [ {
"name" : "SrcFile",
"value" : "commons-compress-1.23.0.jar"
} ],
"description" : ""
}Source
{
"name" : "commons-compress",
"purl" : "pkg:maven/org.apache.commons/commons-compress@1.23.0?type=jar",
"type" : "library",
"group" : "org.apache.commons",
"scope" : "required",
"author" : "",
"hashes" : [ {
"alg" : "MD5",
"content" : "96b88349958aeaa15cdf6e5e877bdced"
}, {
"alg" : "SHA-1",
"content" : "4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc"
}, {
"alg" : "SHA-256",
"content" : "c267f17160e9ef662b4d78b7f29dca7c82b15c5cff2cb6a9865ef4ab3dd5b787"
}, {
"alg" : "SHA-512",
"content" : "e1ee5b7526ca1b6b67b3a6671d13899048f078bf0e73c1e9c601d947dcc9fd5c78cec9592b2a7a586faf4a7fba1c6885f679375cc2f06680a13ecfdad1ed41dd"
}, {
"alg" : "SHA-384",
"content" : "10e49e696c18750c37eee7807aca1ef28fadf2c9da6eabb3b5443bb0e1fa8ebd6638addb2042f27e9a9874495eb10d1c"
}, {
"alg" : "SHA3-384",
"content" : "fe9088b53e6a4e89332b61320b31f206b9217f3eb0adc66968a7d82c020ff263b39b686bcef6ef672d14954515edc514"
}, {
"alg" : "SHA3-256",
"content" : "9e2ed6dd76655e6c27cd0e4e27a00c32f6e08ad058be4865a33268781484424f"
}, {
"alg" : "SHA3-512",
"content" : "30b82c3fe576ed24cd82f2941c5bceccd8ceca3b868b91d0f8cdc2d64ac801101c47519ef4984a7af3b5f1a18e5e87bc6572ac8d21f4b91e689d3cd2e0f14694"
} ],
"bom-ref" : "pkg:maven/org.apache.commons/commons-compress@1.23.0?type=jar",
"version" : "1.23.0",
"licenses" : [ {
"license" : {
"id" : "Apache-2.0",
"url" : "https://www.apache.org/licenses/LICENSE-2.0"
}
} ],
"publisher" : "The Apache Software Foundation",
"description" : "Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj."
}Github
Github provides a SPDX sbom with the basic information needed for the major use cases of checking the Version of a dependency together with a valid purl to identify the dependency and retrieving the license information.
Github examples | Click to expand
SPDX
Source
{
"name": "maven:org.apache.commons:commons-compress",
"SPDXID": "SPDXRef-maven-org.apache.commons-commons-compress-1.23.0",
"supplier": "NOASSERTION",
"versionInfo": "1.23.0",
"externalRefs": [ {
"referenceType": "purl",
"referenceLocator": "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"referenceCategory": "PACKAGE-MANAGER"
} ],
"filesAnalyzed": false,
"licenseDeclared": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"licenseConcluded": "Apache-2.0"
}CycloneDx
Source *
{
"name" : "maven:org.apache.commons:commons-compress",
"purl" : "pkg:/",
"type" : "library",
"bom-ref" : "2aef1f5724a5f5f0",
"properties" : [ {
"name" : "syft:package:metadataType",
"value" : "UnknownMetadata"
}, {
"name" : "syft:package:type",
"value" : "UnknownPackage"
} ]
}Microsoft
Unfortunately, Microsoft was not able to detect Apache Commons-Compress in the container but only in the sources. For this reason, a Debian package was used as an example. Microsoft also was not able to detect any dependencies in the release files. Nevertheless, the provided information is semantically identical. The CycloneDX information was converted based on the SPDX data.
Microsoft examples | Click to expand
SPDX
Container
{
"name": "adduser",
"SPDXID": "SPDXRef-Package-A492AF39E5B4AFFA030353AF3F6B7663F0CC1C132B833B593B77ABBE1734DCE0",
"supplier": "NOASSERTION",
"versionInfo": "3.118",
"externalRefs": [ {
"referenceType": "purl",
"referenceLocator": "pkg:deb/debian/adduser@3.118",
"referenceCategory": "PACKAGE-MANAGER"
} ],
"copyrightText": "NOASSERTION",
"filesAnalyzed": false,
"licenseDeclared": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"licenseConcluded": "NOASSERTION"
}Release
(Microsoft was not able to find any dependencies for release files. So it's not applicable here.)
Source
{
"name": "org.apache.commons.commons-compress",
"SPDXID": "SPDXRef-Package-653E28448706A19D5259E87DFB128D606C32AAB1FE54518D2AD74A8A5DFB0CCD",
"supplier": "NOASSERTION",
"versionInfo": "1.23.0",
"externalRefs": [ {
"referenceType": "purl",
"referenceLocator": "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"referenceCategory": "PACKAGE-MANAGER"
} ],
"copyrightText": "NOASSERTION",
"filesAnalyzed": false,
"licenseDeclared": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"licenseConcluded": "NOASSERTION"
}CycloneDx
Container *
{
"name" : "adduser",
"purl" : "pkg:deb/debian/adduser@3.118",
"type" : "library",
"bom-ref" : "pkg:deb/debian/adduser@3.118?package-id=e4109f9b02aa5cf7",
"version" : "3.118",
"properties" : [ {
"name" : "syft:package:metadataType",
"value" : "DpkgMetadata"
}, {
"name" : "syft:package:type",
"value" : "deb"
}, {
"name" : "syft:metadata:installedSize",
"value" : "0"
} ]
}Release *
(Microsoft was not able to find any dependencies for release files. So it's not applicable here.)
Source *
{
"name" : "org.apache.commons.commons-compress",
"purl" : "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"type" : "library",
"bom-ref" : "pkg:maven/org.apache.commons/commons-compress@1.23.0?package-id=282727a515d61d07",
"version" : "1.23.0",
"properties" : [ {
"name" : "syft:package:language",
"value" : "java"
}, {
"name" : "syft:package:metadataType",
"value" : "JavaMetadata"
}, {
"name" : "syft:package:type",
"value" : "java-archive"
} ]
}Scancode
The Scancode SBOMs were generated based on CycloneDX and converted to SPDX. Scancode was also not able to detect Apache Commons-Compress in the source code. Therefore, another dependency was picked as an example. While the information looks very good and enriched, the quality of the data is lacking. Optional values like comments or copyright are initialized with null, and the version information is provided by a variable which might be based on a Maven abstraction to define variables in a unified way across all POM files. Also the depth the scan was conducted to detect dependencies is lacking. Only Jankins related librarys are listed but no maven imported dependencies.
Scancode examples | Click to expand
SPDX
Source *
{
"name": "cli",
"SPDXID": "SPDXRef-Package-java-archive-cli-299c2129a56a6735",
"sourceInfo": "acquired package info from installed java archive: ",
"versionInfo": "${revision}${changelist}",
"externalRefs": [ {
"referenceType": "purl",
"referenceLocator": "pkg:maven/org.jenkins-ci.main/cli@%24%7Brevision%7D%24%7Bchangelist%7D",
"referenceCategory": "PACKAGE-MANAGER"
} ],
"copyrightText": "NOASSERTION",
"licenseDeclared": "NONE",
"downloadLocation": "NOASSERTION",
"licenseConcluded": "NONE"
}CycloneDx
Source
{
"name" : "cli",
"purl" : "pkg:maven/org.jenkins-ci.main/cli@%24%7Brevision%7D%24%7Bchangelist%7D",
"type" : "library",
"group" : "org.jenkins-ci.main",
"scope" : "required",
"author" : null,
"hashes" : [ ],
"bom-ref" : "pkg:maven/org.jenkins-ci.main/cli@%24%7Brevision%7D%24%7Bchangelist%7D",
"version" : "${revision}${changelist}",
"licenses" : [ ],
"copyright" : null,
"properties" : [ ],
"description" : "Jenkins cli\nCommand line interface for Jenkins",
"externalReferences" : [ {
"url" : "https://repo1.maven.org/maven2/org/jenkins-ci/main/cli/${revision}${changelist}/cli-${revision}${changelist}.pom",
"type" : "bom",
"hashes" : [ ],
"comment" : null
}, {
"url" : "https://github.com/jenkinsci/jenkins",
"type" : "website",
"hashes" : [ ],
"comment" : null
}, {
"url" : "https://repo1.maven.org/maven2/org/jenkins-ci/main/cli/${revision}${changelist}/cli-${revision}${changelist}.jar",
"type" : "distribution",
"hashes" : [ ],
"comment" : null
}, {
"url" : "https://repo1.maven.org/maven2/org/jenkins-ci/main/cli/${revision}${changelist}/",
"type" : "website",
"hashes" : [ ],
"comment" : null
} ]
}Syft
Syft provides a very well-enriched experience in both SPDX and CycloneDX. Syft supports both output formats and provides lots of information, such as several reference locators of type PURL and also CPE. They also make transparent how they conducted this information. The sources are based on the POM file, while the container and release are derived from the installed Java archive. However, while Syft is also able to read the POM file, it doesn't use this information, like CdxGen, to enrich the SBOM with additional information from the package registry, such as hashes or licensing information. Also, the container and release scan refer to the Apache 2.0 license by URL and not by identifier. This makes it especially challenging to process in the SPDX results.
Syft examples | Click to expand
SPDX
Container
{
"name" : "commons-compress",
"SPDXID" : "SPDXRef-Package-java-archive-commons-compress-591e913d9a6a50d4",
"checksums" : [ {
"algorithm" : "SHA1",
"checksumValue" : "4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc"
} ],
"sourceInfo" : "acquired package info from installed java archive: /usr/share/jenkins/jenkins.war",
"versionInfo" : "1.23.0",
"externalRefs" : [ {
"referenceType" : "cpe23Type",
"referenceLocator" : "cpe:2.3:a:apache:commons-compress:1.23.0:*:*:*:*:*:*:*",
"referenceCategory" : "SECURITY"
}, {
"referenceType" : "cpe23Type",
"referenceLocator" : "cpe:2.3:a:apache:commons_compress:1.23.0:*:*:*:*:*:*:*",
"referenceCategory" : "SECURITY"
}, {
"referenceType" : "cpe23Type",
"referenceLocator" : "cpe:2.3:a:apache:compress:1.23.0:*:*:*:*:*:*:*",
"referenceCategory" : "SECURITY"
}, {
"referenceType" : "cpe23Type",
"referenceLocator" : "cpe:2.3:a:apache:commons:1.23.0:*:*:*:*:*:*:*",
"referenceCategory" : "SECURITY"
}, {
"referenceType" : "purl",
"referenceLocator" : "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"referenceCategory" : "PACKAGE-MANAGER"
} ],
"copyrightText" : "NOASSERTION",
"filesAnalyzed" : false,
"licenseDeclared" : "LicenseRef-https---www.apache.org-licenses-LICENSE-2.0.txt",
"downloadLocation" : "NOASSERTION",
"licenseConcluded" : "NOASSERTION"
}Release
{
"name": "commons-compress",
"SPDXID": "SPDXRef-Package-java-archive-commons-compress-965a8d8b56319b5d",
"checksums": [ {
"algorithm": "SHA1",
"checksumValue": "4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc"
} ],
"sourceInfo": "acquired package info from installed java archive: /jenkins.war",
"versionInfo": "1.23.0",
"externalRefs": [ {
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:commons-compress:1.23.0:*:*:*:*:*:*:*",
"referenceCategory": "SECURITY"
}, {
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:commons_compress:1.23.0:*:*:*:*:*:*:*",
"referenceCategory": "SECURITY"
}, {
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:compress:1.23.0:*:*:*:*:*:*:*",
"referenceCategory": "SECURITY"
}, {
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:commons:1.23.0:*:*:*:*:*:*:*",
"referenceCategory": "SECURITY"
}, {
"referenceType": "purl",
"referenceLocator": "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"referenceCategory": "PACKAGE-MANAGER"
} ],
"copyrightText": "NOASSERTION",
"filesAnalyzed": false,
"licenseDeclared": "LicenseRef-https---www.apache.org-licenses-LICENSE-2.0.txt",
"downloadLocation": "NOASSERTION",
"licenseConcluded": "NOASSERTION"
}Source
{
"name" : "commons-compress",
"SPDXID" : "SPDXRef-Package-java-archive-commons-compress-956f2e1e635d2c2e",
"sourceInfo" : "acquired package info from installed java archive: /core/pom.xml",
"externalRefs" : [ {
"referenceType" : "cpe23Type",
"referenceLocator" : "cpe:2.3:a:apache:commons-compress:*:*:*:*:*:*:*:*",
"referenceCategory" : "SECURITY"
}, {
"referenceType" : "cpe23Type",
"referenceLocator" : "cpe:2.3:a:apache:commons_compress:*:*:*:*:*:*:*:*",
"referenceCategory" : "SECURITY"
}, {
"referenceType" : "cpe23Type",
"referenceLocator" : "cpe:2.3:a:apache:commons:*:*:*:*:*:*:*:*",
"referenceCategory" : "SECURITY"
}, {
"referenceType" : "purl",
"referenceLocator" : "pkg:maven/org.apache.commons/commons-compress",
"referenceCategory" : "PACKAGE-MANAGER"
} ],
"copyrightText" : "NOASSERTION",
"filesAnalyzed" : false,
"licenseDeclared" : "NOASSERTION",
"downloadLocation" : "NOASSERTION",
"licenseConcluded" : "NOASSERTION"
}CycloneDx
Container
{
"cpe" : "cpe:2.3:a:apache:commons-compress:1.23.0:*:*:*:*:*:*:*",
"name" : "commons-compress",
"purl" : "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"type" : "library",
"group" : "org.apache.commons",
"bom-ref" : "pkg:maven/org.apache.commons/commons-compress@1.23.0?package-id=591e913d9a6a50d4",
"version" : "1.23.0",
"licenses" : [ {
"license" : {
"name" : "https://www.apache.org/licenses/LICENSE-2.0.txt"
}
} ],
"properties" : [ {
"name" : "syft:package:foundBy",
"value" : "java-cataloger"
}, {
"name" : "syft:package:language",
"value" : "java"
}, {
"name" : "syft:package:metadataType",
"value" : "JavaMetadata"
}, {
"name" : "syft:package:type",
"value" : "java-archive"
}, {
"name" : "syft:cpe23",
"value" : "cpe:2.3:a:apache:commons_compress:1.23.0:*:*:*:*:*:*:*"
}, {
"name" : "syft:cpe23",
"value" : "cpe:2.3:a:apache:compress:1.23.0:*:*:*:*:*:*:*"
}, {
"name" : "syft:cpe23",
"value" : "cpe:2.3:a:apache:commons:1.23.0:*:*:*:*:*:*:*"
}, {
"name" : "syft:location:0:layerID",
"value" : "sha256:bd8ae0684ddd240c1d7c24eb2b35b1f266d21bd86beb23cd7dcee7151c918dc6"
}, {
"name" : "syft:location:0:path",
"value" : "/usr/share/jenkins/jenkins.war"
}, {
"name" : "syft:metadata:-:artifactID",
"value" : "commons-compress"
}, {
"name" : "syft:metadata:-:groupID",
"value" : "org.apache.commons"
}, {
"name" : "syft:metadata:virtualPath",
"value" : "/usr/share/jenkins/jenkins.war:WEB-INF/lib/commons-compress-1.23.0.jar"
} ],
"externalReferences" : [ {
"url" : "",
"type" : "build-meta",
"hashes" : [ {
"alg" : "SHA-1",
"content" : "4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc"
} ]
} ]
}Release
{
"cpe" : "cpe:2.3:a:apache:commons-compress:1.23.0:*:*:*:*:*:*:*",
"name" : "commons-compress",
"purl" : "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"type" : "library",
"group" : "org.apache.commons",
"bom-ref" : "pkg:maven/org.apache.commons/commons-compress@1.23.0?package-id=965a8d8b56319b5d",
"version" : "1.23.0",
"licenses" : [ {
"license" : {
"name" : "https://www.apache.org/licenses/LICENSE-2.0.txt"
}
} ],
"properties" : [ {
"name" : "syft:package:foundBy",
"value" : "java-cataloger"
}, {
"name" : "syft:package:language",
"value" : "java"
}, {
"name" : "syft:package:metadataType",
"value" : "JavaMetadata"
}, {
"name" : "syft:package:type",
"value" : "java-archive"
}, {
"name" : "syft:cpe23",
"value" : "cpe:2.3:a:apache:commons_compress:1.23.0:*:*:*:*:*:*:*"
}, {
"name" : "syft:cpe23",
"value" : "cpe:2.3:a:apache:compress:1.23.0:*:*:*:*:*:*:*"
}, {
"name" : "syft:cpe23",
"value" : "cpe:2.3:a:apache:commons:1.23.0:*:*:*:*:*:*:*"
}, {
"name" : "syft:location:0:path",
"value" : "/jenkins.war"
}, {
"name" : "syft:metadata:-:artifactID",
"value" : "commons-compress"
}, {
"name" : "syft:metadata:-:groupID",
"value" : "org.apache.commons"
}, {
"name" : "syft:metadata:virtualPath",
"value" : "/jenkins.war:WEB-INF/lib/commons-compress-1.23.0.jar"
} ],
"externalReferences" : [ {
"url" : "",
"type" : "build-meta",
"hashes" : [ {
"alg" : "SHA-1",
"content" : "4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc"
} ]
} ]
}Source
{
"cpe" : "cpe:2.3:a:apache:commons-compress:*:*:*:*:*:*:*:*",
"name" : "commons-compress",
"purl" : "pkg:maven/org.apache.commons/commons-compress",
"type" : "library",
"group" : "org.apache.commons",
"bom-ref" : "pkg:maven/org.apache.commons/commons-compress?package-id=956f2e1e635d2c2e",
"properties" : [ {
"name" : "syft:package:foundBy",
"value" : "java-pom-cataloger"
}, {
"name" : "syft:package:language",
"value" : "java"
}, {
"name" : "syft:package:metadataType",
"value" : "JavaMetadata"
}, {
"name" : "syft:package:type",
"value" : "java-archive"
}, {
"name" : "syft:cpe23",
"value" : "cpe:2.3:a:apache:commons_compress:*:*:*:*:*:*:*:*"
}, {
"name" : "syft:cpe23",
"value" : "cpe:2.3:a:apache:commons:*:*:*:*:*:*:*:*"
}, {
"name" : "syft:location:0:path",
"value" : "/core/pom.xml"
}, {
"name" : "syft:metadata:-:artifactID",
"value" : "commons-compress"
}, {
"name" : "syft:metadata:-:groupID",
"value" : "org.apache.commons"
} ]
}Tern
While Tern supports both the output in SPDX and CycloneDx the experience with SPDX is much better then CycloneDx. The SPDX output provides a comment, supplier and copyright Text, all of which is missing in the CycloneDx output.
Tern examples | Click to expand
SPDX
Container
{
"name" : "adduser",
"SPDXID" : "SPDXRef-adduser-3.118",
"comment" : "adduser:\n\twarning: No metadata for key: pkg_license\n\twarning: No metadata for key: download_url\n\twarning: No metadata for key: checksum\n\twarning: No metadata for key: pkg_format\n",
"supplier" : "Organization: Debian GNU/Linux",
"versionInfo" : "3.118",
"externalRefs" : [ {
"referenceType" : "purl",
"referenceLocator" : "pkg:deb/debian/adduser@3.118?arch=all",
"referenceCategory" : "PACKAGE-MANAGER"
} ],
"copyrightText" : "This package was first put together by Ian Murdock\n<imurdock@debian.org> and was maintained by Steve Phillips\n<sjp@cvfn.org> from sources written for the Debian Project by Ian\nMurdock, Ted Hajek <tedhajek@boombox.micro.umn.edu>, and Sven Rudolph\n<sr1@inf.tu-dresden.de>.\n\nSince Nov 27 1996, it was maintained by Guy Maor <maor@debian.org>. He\nrewrote most of it.\n\nSince May 20 2000, it is maintained by Roland Bauerschmidt\n<rb@debian.org>.\n\nSince March 24 2004, it is maintained by Roland Bauerschmidt\n<rb@debian.org>, and co-maintained by Marc Haber\n<mh+debian-packages@zugschlus.de>\n\nSince 23 Oct 2005, it has been maintained by Joerg Hoh <joerg@joerghoh.de> \n\nSince June 2006, it has been maintained by Stephen Gran <sgran@debian.org>\n\ndeluser is Copyright (C) 2000 Roland Bauerschmidt <rb@debian.org>\nand based on the source code of adduser.\n\nadduser is Copyright (C) 1997, 1998, 1999 Guy Maor <maor@debian.org>.\nadduser is Copyright (C) 1995 Ted Hajek <tedhajek@boombox.micro.umn.edu>\nwith portions Copyright (C) 1994 Debian Association, Inc.\n\nThe examples directory has been contributed by John Zaitseff, and is\nGPL V2 as well.\n\n This program is free software; you can redistribute it and/or modify\n it under the terms of the GNU General Public License as published by\n the Free Software Foundation; either version 2 of the License, or\n (at your option) any later version.\n\n This program is distributed in the hope that it will be useful,\n but WITHOUT ANY WARRANTY; without even the implied warranty of\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n GNU General Public License for more details.\n\n You should have received a copy of the GNU General Public License\n along with this program; if not, write to the\n Free Software Foundation, Inc.,\n 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.\n\nOn Debian GNU/Linux systems, the complete text of the GNU General\nPublic License can be found in `/usr/share/common-licenses/GPL-2'.\n",
"filesAnalyzed" : false,
"licenseDeclared" : "NONE",
"downloadLocation" : "NOASSERTION",
"licenseConcluded" : "NOASSERTION"
}CycloneDx
Container
{
"name" : "adduser",
"purl" : "pkg:deb/debian/adduser@3.118",
"type" : "application",
"version" : "3.118"
}Trivy
Trivy was only able to detect dependencies in containers and the sources, not the release files. Trivy was able to detect most of the basic information; only the license information is missing in this instance. It was also the only tool that generated the field 'primaryPackagePurpose.' While it makes the information source transparent in the CycloneDX files based on what the dependency was detected, such as the JAR file or the POM file, this information is not added in the SPDX file.
Trivy examples | Click to expand
SPDX
Container
{
"name": "org.apache.commons:commons-compress",
"SPDXID": "SPDXRef-Package-cfaa6639945e87ae",
"supplier": "NOASSERTION",
"versionInfo": "1.23.0",
"externalRefs": [ {
"referenceType": "purl",
"referenceLocator": "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"referenceCategory": "PACKAGE-MANAGER"
} ],
"copyrightText": "",
"licenseDeclared": "NONE",
"attributionTexts": [
"LayerDiffID: sha256:bd8ae0684ddd240c1d7c24eb2b35b1f266d21bd86beb23cd7dcee7151c918dc6"
],
"downloadLocation": "NONE",
"licenseConcluded": "NONE",
"primaryPackagePurpose": "LIBRARY"
}Release
(Trivy was not able to find any dependencies for release files. So it's not applicable here.)
Source
{
"name": "org.apache.commons:commons-compress",
"SPDXID": "SPDXRef-Package-14268540a8363da4",
"supplier": "NOASSERTION",
"versionInfo": "1.23.0",
"externalRefs": [ {
"referenceType": "purl",
"referenceLocator": "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"referenceCategory": "PACKAGE-MANAGER"
} ],
"copyrightText": "",
"licenseDeclared": "NONE",
"downloadLocation": "NONE",
"licenseConcluded": "NONE",
"primaryPackagePurpose": "LIBRARY"
}CycloneDx
Container
{
"name" : "commons-compress",
"purl" : "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"type" : "library",
"group" : "org.apache.commons",
"bom-ref" : "pkg:maven/org.apache.commons/commons-compress@1.23.0?file_path=usr%2Fshare%2Fjenkins%2Fjenkins.war%2FWEB-INF%2Flib%2Fcommons-compress-1.23.0.jar",
"version" : "1.23.0",
"properties" : [ {
"name" : "aquasecurity:trivy:FilePath",
"value" : "usr/share/jenkins/jenkins.war/WEB-INF/lib/commons-compress-1.23.0.jar"
}, {
"name" : "aquasecurity:trivy:LayerDiffID",
"value" : "sha256:bd8ae0684ddd240c1d7c24eb2b35b1f266d21bd86beb23cd7dcee7151c918dc6"
}, {
"name" : "aquasecurity:trivy:PkgType",
"value" : "jar"
} ]
}Release
(Trivy was not able to find any dependencies for release files. So it's not applicable here.)
Source
{
"name" : "org.apache.commons:commons-compress",
"purl" : "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"type" : "library",
"bom-ref" : "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"version" : "1.23.0",
"properties" : [ {
"name" : "aquasecurity:trivy:PkgType",
"value" : "pom"
} ]
}Conclusion
While the assessment of the tooling to generate SBOMs has shown that there are stronger and weaker tools to generate SBOMs, it also shows that the quality of the produced results already reflects much of the complexity of the software product. This exceeds the simple comparison with tools like scoring that ranks the tools because the results are not only based on the quality of the tooling but also impacted by the use case that is associated with it.
The quality of an SBOM is mostly impacted if the tooling used to generate and process the SBOM supports the programming language, the build process, or other factors of the software development lifecycle.
Also, the quality of an SBOM is very much impacted by the use case for which the SBOMs are later used. If an SBOM is primarily used for license checks, asset management, or security-related checks, it should also be taken into consideration at generation because different toolings might generate results with different use cases in mind. But this might be easier said than done, considering that the party that produces the SBOM is often not the party that consumes it. For this reason, it might be expedient to also communicate the intended use cases of an SBOM together with its generation context at publication.