Converting SBOMs between SPDX and CycloneDx
9/27/23About 92 min
Converting SBOMs between SPDX and CycloneDx
When discussing SBOMs, two prominent formats are widely recognized in the industry: SPDX (Software Package Data Exchange), backed by the Linux Foundation, and CycloneDx, supported by OWASP. Both schemas are compatible with various data types, such as XML, JSON, or YAML.
However, not all tools support both formats. Some tools can only generate, consume, or process one of the two. In some cases, they only support specific versions of these formats. As a result, there emerged a need to convert SBOMs between SPDX and CycloneDx.
Over the past few weeks, I've engaged extensively with SBOMs and experimented with different tools to convert them. In this blog post, I like to share some of the insights I've gathered during this process. For further details on the generation of SBOMs, you can refer to my previous post here
Preperation
As a starting point I chose SBOMs generated using the Syft generator developed by Anchore. I've previously written a blog about various SBOM generators, and my research indicates that Syft produces a notably feature-rich SBOM. I believe it offers a solid example for understanding how different converters navigate the mapping between SPDX and CycloneDx. While there are myriad aspects to consider when converting an SBOM, I'll specifically delve into the mapping of dependencies within an SBOM. As an additional sample, I've chosen SBOMs generated with Trivy to ensure the Syft converter isn't just excelling in familiar territory.
To this end, I utilized an SBOM I crafted during the analysis of a Jenkins docker container. My primary focus will be on the Apache commons-compress library. Thus far, I've identified four distinct tools capable of converting an SBOM between SPDX and CycloneDx.
Original Data | Click to expand
Syft command to generate original data
syft jenkins/jenkins:latest -o spdx-json=original.syft.spdx.json -o cyclonedx-json=original.syft.cdx.jsonOriginal Syft SPDX data
{
"name": "commons-compress",
"SPDXID": "SPDXRef-Package-java-archive-commons-compress-591e913d9a6a50d4",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc"
}
],
"sourceInfo": "acquired package info from installed java archive: /usr/share/jenkins/jenkins.war",
"versionInfo": "1.23.0",
"externalRefs": [
{
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:commons-compress:1.23.0:*:*:*:*:*:*:*",
"referenceCategory": "SECURITY"
},
{
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:commons_compress:1.23.0:*:*:*:*:*:*:*",
"referenceCategory": "SECURITY"
},
{
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:compress:1.23.0:*:*:*:*:*:*:*",
"referenceCategory": "SECURITY"
},
{
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:commons:1.23.0:*:*:*:*:*:*:*",
"referenceCategory": "SECURITY"
},
{
"referenceType": "purl",
"referenceLocator": "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"referenceCategory": "PACKAGE-MANAGER"
}
],
"copyrightText": "NOASSERTION",
"filesAnalyzed": false,
"licenseDeclared": "LicenseRef-https---www.apache.org-licenses-LICENSE-2.0.txt",
"downloadLocation": "NOASSERTION",
"licenseConcluded": "NOASSERTION"
}Original Syft CycloneDx data
{
"cpe": "cpe:2.3:a:apache:commons-compress:1.23.0:*:*:*:*:*:*:*",
"name": "commons-compress",
"purl": "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"type": "library",
"group": "org.apache.commons",
"bom-ref": "pkg:maven/org.apache.commons/commons-compress@1.23.0?package-id=591e913d9a6a50d4",
"version": "1.23.0",
"licenses": [
{
"license": {
"name": "https://www.apache.org/licenses/LICENSE-2.0.txt"
}
}
],
"properties": [
{
"name": "syft:package:foundBy",
"value": "java-cataloger"
},
{
"name": "syft:package:language",
"value": "java"
},
{
"name": "syft:package:metadataType",
"value": "JavaMetadata"
},
{
"name": "syft:package:type",
"value": "java-archive"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:apache:commons_compress:1.23.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:apache:compress:1.23.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:apache:commons:1.23.0:*:*:*:*:*:*:*"
},
{
"name": "syft:location:0:layerID",
"value": "sha256:bd8ae0684ddd240c1d7c24eb2b35b1f266d21bd86beb23cd7dcee7151c918dc6"
},
{
"name": "syft:location:0:path",
"value": "/usr/share/jenkins/jenkins.war"
},
{
"name": "syft:metadata:-:artifactID",
"value": "commons-compress"
},
{
"name": "syft:metadata:-:groupID",
"value": "org.apache.commons"
},
{
"name": "syft:metadata:virtualPath",
"value": "/usr/share/jenkins/jenkins.war:WEB-INF/lib/commons-compress-1.23.0.jar"
}
],
"externalReferences": [
{
"url": "",
"type": "build-meta",
"hashes": [
{
"alg": "SHA-1",
"content": "4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc"
}
]
}
]
}Original Trivy SPDX data
Command
trivy image jenkins/jenkins:latest --format spdx-json --output original.trivy.spdx.json{
"name" : "org.apache.commons:commons-compress",
"SPDXID" : "SPDXRef-Package-cfaa6639945e87ae",
"supplier" : "NOASSERTION",
"versionInfo" : "1.23.0",
"externalRefs" : [ {
"referenceType" : "purl",
"referenceLocator" : "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"referenceCategory" : "PACKAGE-MANAGER"
} ],
"copyrightText" : "",
"licenseDeclared" : "NONE",
"attributionTexts" : [ "LayerDiffID: sha256:bd8ae0684ddd240c1d7c24eb2b35b1f266d21bd86beb23cd7dcee7151c918dc6" ],
"downloadLocation" : "NONE",
"licenseConcluded" : "NONE",
"primaryPackagePurpose" : "LIBRARY"
}Original Trivy CycloneDx data
Command
trivy image jenkins/jenkins:latest --format cyclonedx --output original.trivy.cdx.json{
"name" : "commons-compress",
"purl" : "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"type" : "library",
"group" : "org.apache.commons",
"bom-ref" : "pkg:maven/org.apache.commons/commons-compress@1.23.0?file_path=usr%2Fshare%2Fjenkins%2Fjenkins.war%2FWEB-INF%2Flib%2Fcommons-compress-1.23.0.jar",
"version" : "1.23.0",
"properties" : [ {
"name" : "aquasecurity:trivy:FilePath",
"value" : "usr/share/jenkins/jenkins.war/WEB-INF/lib/commons-compress-1.23.0.jar"
}, {
"name" : "aquasecurity:trivy:LayerDiffID",
"value" : "sha256:bd8ae0684ddd240c1d7c24eb2b35b1f266d21bd86beb23cd7dcee7151c918dc6"
}, {
"name" : "aquasecurity:trivy:PkgType",
"value" : "jar"
} ]
}CycloneDx CLI
During my experience with the CycloneDx CLI, I found out that it only supports SPDX-2.2. As a result, I had to generate an older version of SPDX for this test.
Converting from SPDX to CycloneDx and vice versa seemed relatively seamless. All the primary data such as licenses, versions, and locators like CPE and PURL remained intact. A few minor discrepancies were noted: The LicenseInfoFormFields shifted from null to "NOASSERTION". Additionally, some fields, such as homepage, originator, and supplier, weren't present in the original but appeared after the conversion, each marked as "NOASSERTION". From a technical standpoint, this isn't incorrect.
SPDX to CycloneDx (Round Trip) | Click to expand
Command:
syft jenkins/jenkins:latest -o spdx-json@2.2=original.syft.spdx2-2.json
cyclonedx-cli convert --input-file original.syft.spdx2-2.json --output-file converted.byCdxCli.toCdx.json --input-format spdxjson --output-format jsonInput:
{
"name": "commons-compress",
"SPDXID": "SPDXRef-Package-java-archive-commons-compress-2e1986ad08a727ce",
"versionInfo": "1.23.0",
"downloadLocation": "NOASSERTION",
"packageVerificationCode": {
"packageVerificationCodeValue": ""
},
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc"
}
],
"sourceInfo": "acquired package info from installed java archive: /usr/share/jenkins/jenkins.war",
"licenseConcluded": "LicenseRef-https---www.apache.org-licenses-LICENSE-2.0.txt",
"licenseInfoFromFiles": null,
"licenseDeclared": "LicenseRef-https---www.apache.org-licenses-LICENSE-2.0.txt",
"copyrightText": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:commons-compress:1.23.0:*:*:*:*:*:*:*"
},
{
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:commons_compress:1.23.0:*:*:*:*:*:*:*"
},
{
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:compress:1.23.0:*:*:*:*:*:*:*"
},
{
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:commons:1.23.0:*:*:*:*:*:*:*"
},
{
"referenceCategory": "PACKAGE_MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:maven/org.apache.commons/commons-compress@1.23.0"
}
]
}Output:
{
"type": "library",
"name": "commons-compress",
"version": "1.23.0",
"hashes": [
{
"alg": "SHA-1",
"content": "4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc"
}
],
"licenses": [
{
"expression": "LicenseRef-https---www.apache.org-licenses-LICENSE-2.0.txt"
}
],
"copyright": "NOASSERTION",
"externalReferences": [
{
"url": "NOASSERTION",
"type": "distribution"
}
],
"properties": [
{
"name": "spdx:spdxid",
"value": "SPDXRef-Package-java-archive-commons-compress-2e1986ad08a727ce"
},
{
"name": "spdx:license-concluded",
"value": "LicenseRef-https---www.apache.org-licenses-LICENSE-2.0.txt"
},
{
"name": "spdx:package:verification-code:value",
"value": ""
},
{
"name": "spdx:package:source-info",
"value": "acquired package info from installed java archive: /usr/share/jenkins/jenkins.war"
},
{
"name": "spdx:external-reference:security:cpe23",
"value": "cpe:2.3:a:apache:commons-compress:1.23.0:*:*:*:*:*:*:*"
},
{
"name": "spdx:external-reference:security:cpe23",
"value": "cpe:2.3:a:apache:commons_compress:1.23.0:*:*:*:*:*:*:*"
},
{
"name": "spdx:external-reference:security:cpe23",
"value": "cpe:2.3:a:apache:compress:1.23.0:*:*:*:*:*:*:*"
},
{
"name": "spdx:external-reference:security:cpe23",
"value": "cpe:2.3:a:apache:commons:1.23.0:*:*:*:*:*:*:*"
},
{
"name": "spdx:external-reference:package-manager:purl",
"value": "pkg:maven/org.apache.commons/commons-compress@1.23.0"
},
{
"name": "spdx:download-location",
"value": "NOASSERTION"
}
]
}Round Trip:
{
"SPDXID": "SPDXRef-Package-java-archive-commons-compress-2e1986ad08a727ce",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc"
}
],
"copyrightText": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "SECURITY",
"referenceLocator": "cpe:2.3:a:apache:commons-compress:1.23.0:*:*:*:*:*:*:*",
"referenceType": "cpe23Type"
},
{
"referenceCategory": "SECURITY",
"referenceLocator": "cpe:2.3:a:apache:commons_compress:1.23.0:*:*:*:*:*:*:*",
"referenceType": "cpe23Type"
},
{
"referenceCategory": "SECURITY",
"referenceLocator": "cpe:2.3:a:apache:compress:1.23.0:*:*:*:*:*:*:*",
"referenceType": "cpe23Type"
},
{
"referenceCategory": "SECURITY",
"referenceLocator": "cpe:2.3:a:apache:commons:1.23.0:*:*:*:*:*:*:*",
"referenceType": "cpe23Type"
},
{
"referenceCategory": "PACKAGE_MANAGER",
"referenceLocator": "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"referenceType": "purl"
}
],
"homepage": "NOASSERTION",
"licenseConcluded": "LicenseRef-https---www.apache.org-licenses-LICENSE-2.0.txt",
"licenseDeclared": "LicenseRef-https---www.apache.org-licenses-LICENSE-2.0.txt",
"licenseInfoFromFiles": [
"NOASSERTION"
],
"name": "commons-compress",
"originator": "NOASSERTION",
"packageVerificationCode": {
"packageVerificationCodeValue": ""
},
"sourceInfo": "acquired package info from installed java archive: /usr/share/jenkins/jenkins.war",
"supplier": "NOASSERTION",
"versionInfo": "1.23.0"
}Roundtrip comparison
However, the results were starkly different when the conversion process was initiated from CycloneDx to SPDX and then reverted. Valuable data was lost in this transition. The CPE and PURL locators disappeared, and the group and bom-ref attributes were nowhere to be found. Interestingly, the bom-ref was somewhat retained in the properties, albeit in a slightly altered format. Pertaining to the properties, all original entries vanished. In their place, broken values marked "NOASSERTION" appeared. It seems these were likely generated during the SPDX file creation and later deemed redundant. Most critically, the license information was lost. Consequently, after this conversion, many of the primary use-cases were compromised. It's worth noting that this loss of information occurred right in the initial step from CycloneDx to SPDX.
CycloneDx to SPDX (Round Trip) | Click to expand
Command:
cyclonedx-cli convert --input-file original.syft.cdx.json --output-file converted.byCdxCli.toSpdx.json --input-format json --output-format spdxjsonInput:
{
"cpe": "cpe:2.3:a:apache:commons-compress:1.23.0:*:*:*:*:*:*:*",
"name": "commons-compress",
"purl": "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"type": "library",
"group": "org.apache.commons",
"bom-ref": "pkg:maven/org.apache.commons/commons-compress@1.23.0?package-id=591e913d9a6a50d4",
"version": "1.23.0",
"licenses": [
{
"license": {
"name": "https://www.apache.org/licenses/LICENSE-2.0.txt"
}
}
],
"properties": [
{
"name": "syft:package:foundBy",
"value": "java-cataloger"
},
{
"name": "syft:package:language",
"value": "java"
},
{
"name": "syft:package:metadataType",
"value": "JavaMetadata"
},
{
"name": "syft:package:type",
"value": "java-archive"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:apache:commons_compress:1.23.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:apache:compress:1.23.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:apache:commons:1.23.0:*:*:*:*:*:*:*"
},
{
"name": "syft:location:0:layerID",
"value": "sha256:bd8ae0684ddd240c1d7c24eb2b35b1f266d21bd86beb23cd7dcee7151c918dc6"
},
{
"name": "syft:location:0:path",
"value": "/usr/share/jenkins/jenkins.war"
},
{
"name": "syft:metadata:-:artifactID",
"value": "commons-compress"
},
{
"name": "syft:metadata:-:groupID",
"value": "org.apache.commons"
},
{
"name": "syft:metadata:virtualPath",
"value": "/usr/share/jenkins/jenkins.war:WEB-INF/lib/commons-compress-1.23.0.jar"
}
],
"externalReferences": [
{
"url": "",
"type": "build-meta",
"hashes": [
{
"alg": "SHA-1",
"content": "4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc"
}
]
}
]
}Output:
{
"SPDXID": "SPDXRef-pkg:maven/org.apache.commons/commons-compress@1.23.0?package-id=2e1986ad08a727ce",
"copyrightText": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"homepage": "NOASSERTION",
"licenseConcluded": "NOASSERTION",
"licenseInfoFromFiles": [
"NOASSERTION"
],
"name": "commons-compress",
"originator": "NOASSERTION",
"supplier": "NOASSERTION",
"versionInfo": "1.23.0"
}Round Trip:
{
"type": "library",
"name": "commons-compress",
"version": "1.23.0",
"licenses": [
{}
],
"copyright": "NOASSERTION",
"externalReferences": [
{
"url": "NOASSERTION",
"type": "distribution"
},
{
"url": "NOASSERTION",
"type": "website"
}
],
"properties": [
{
"name": "spdx:spdxid",
"value": "SPDXRef-pkg:maven/org.apache.commons/commons-compress@1.23.0?package-id=2e1986ad08a727ce"
},
{
"name": "spdx:license-concluded",
"value": "NOASSERTION"
},
{
"name": "spdx:package:originator",
"value": "NOASSERTION"
},
{
"name": "spdx:package:supplier",
"value": "NOASSERTION"
},
{
"name": "spdx:download-location",
"value": "NOASSERTION"
},
{
"name": "spdx:homepage",
"value": "NOASSERTION"
}
],
"evidence": {
"licenses": []
}
}Roundtrip comparison
Cdx2Spdx
Cdx2Spdx belongs to a suite of Java libraries designed to process SPDX files using Java. As the name suggests, this tool's capability is unidirectional — it converts from CycloneDx to SPDX, preventing a full round trip conversion. My initial attempt to convert an SBOM using this tool was unsuccessful; it couldn't process the CycloneDx file generated by Syft. However, the CycloneDx file from Trivy was processed, though not without issues. The tool produced a lengthy error log, flagging numerous warnings about incorrect or absent data.
To retain as much relevant information as possible, Cdx2Spdx heavily relies on annotations and other fields when adding information to the SPDX SBOM. Moreover, comments are inserted within the SBOM to indicate any information that was missing during the conversion.
I appreciate the tool's intent in attempting to include this supplementary data. However, chances are that such details might be overlooked or lost during automated SBOM processing.
CycloneDx to SPDX
Command:
java -jar ~/Downloads/cdx2spdx-0.1.4-jar-with-dependencies.jar original.trivy.cdx.json converted.byCdx2Spdx.spdx.jsonInput:
{
"name" : "commons-compress",
"purl" : "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"type" : "library",
"group" : "org.apache.commons",
"bom-ref" : "pkg:maven/org.apache.commons/commons-compress@1.23.0?file_path=usr%2Fshare%2Fjenkins%2Fjenkins.war%2FWEB-INF%2Flib%2Fcommons-compress-1.23.0.jar",
"version" : "1.23.0",
"properties" : [ {
"name" : "aquasecurity:trivy:FilePath",
"value" : "usr/share/jenkins/jenkins.war/WEB-INF/lib/commons-compress-1.23.0.jar"
}, {
"name" : "aquasecurity:trivy:LayerDiffID",
"value" : "sha256:bd8ae0684ddd240c1d7c24eb2b35b1f266d21bd86beb23cd7dcee7151c918dc6"
}, {
"name" : "aquasecurity:trivy:PkgType",
"value" : "jar"
} ]
}Output:
{
"SPDXID": "SPDXRef-pkg-maven-org.apache.commons-commons-compress-1.23.0-file-path-usr-2Fshare-2Fjenkins-2Fjenkins.war-2FWEB-INF-2Flib-2Fcommons-compress-1.23.0.jar",
"annotations": [
{
"annotationDate": "2023-09-27T11:28:19Z",
"annotationType": "OTHER",
"annotator": "Tool: CycloneToSpdx",
"comment": "MISSING_CDX_PROPERTY:componentType=\"LIBRARY\""
},
{
"annotationDate": "2023-09-27T11:28:19Z",
"annotationType": "OTHER",
"annotator": "Tool: CycloneToSpdx",
"comment": "MISSING_CDX_PROPERTY:properites=[{\"name\":\"aquasecurity:trivy:FilePath\",\"value\":\"usr/share/jenkins/jenkins.war/WEB-INF/lib/commons-compress-1.23.0.jar\"},{\"name\":\"aquasecurity:trivy:LayerDiffID\",\"value\":\"sha256:9abdeeeaac1f3b3cefa35eb7687210bf3fae8c22e29fb853cddb02e40b02554b\"},{\"name\":\"aquasecurity:trivy:PkgType\",\"value\":\"jar\"}]"
}
],
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "49b89534d5d8f4b63fc8cfad14ca0bc9dd21671a"
}
],
"copyrightText": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceLocator": "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"referenceType": "purl"
}
],
"filesAnalyzed": false,
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"name": "org.apache.commons:commons-compress",
"primaryPackagePurpose": "LIBRARY",
"versionInfo": "1.23.0"
}Log Output | Click to expand
WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance.
Completed with the following warnings:
SPDX does not support property or property value extensions for SPDX type SpdxDocument. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for debian
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for adduser
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for apt-transport-https
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for apt
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for base-files
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for base-passwd
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name public-domain
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for bash
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for bsdutils
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name public-domain
Missing CycloneDX license ID for license name BSD-4-Clause
Missing CycloneDX license ID for license name MIT
Missing CycloneDX license ID for license name BSD-2-Clause
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name LGPL-2.0
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name LGPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for ca-certificates
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name MPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for coreutils
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for curl
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name curl
Missing CycloneDX license ID for license name ISC
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name public-domain
Missing CycloneDX license ID for license name BSD-4-Clause
Missing CycloneDX license ID for license name other
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for dash
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name FSFULLR
Missing CycloneDX license ID for license name FSFUL
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name public-domain
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for debconf
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name BSD-2-Clause
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for debian-archive-keyring
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for debianutils
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for diffutils
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name GFDL
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for dirmngr
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name permissive
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name LGPL-3.0
Missing CycloneDX license ID for license name RFC-Reference
Missing CycloneDX license ID for license name TinySCHEME
Missing CycloneDX license ID for license name CC0-1.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for dpkg
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name BSD-2-Clause
Missing CycloneDX license ID for license name public-domain-s-s-d
Missing CycloneDX license ID for license name public-domain-md5
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for e2fsprogs
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name LGPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for findutils
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name GFDL-1.3
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for fontconfig-config
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for fonts-dejavu-core
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name bitstream-vera
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for gcc-10-base
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name GFDL-1.2
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name Artistic
Missing CycloneDX license ID for license name LGPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for gcc-9-base
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name GFDL-1.2
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name Artistic
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name LGPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for git-lfs
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name Expat
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for git-man
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name EDL-1.0
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name GPL-1.0
Missing CycloneDX license ID for license name Artistic-1
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name Artistic
Missing CycloneDX license ID for license name ISC
Missing CycloneDX license ID for license name mingw-runtime
Missing CycloneDX license ID for license name Boost
Missing CycloneDX license ID for license name dlmalloc
Missing CycloneDX license ID for license name Apache-2.0
Missing CycloneDX license ID for license name LGPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for git
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name EDL-1.0
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name GPL-1.0
Missing CycloneDX license ID for license name Artistic-1
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name Artistic
Missing CycloneDX license ID for license name ISC
Missing CycloneDX license ID for license name mingw-runtime
Missing CycloneDX license ID for license name Boost
Missing CycloneDX license ID for license name dlmalloc
Missing CycloneDX license ID for license name Apache-2.0
Missing CycloneDX license ID for license name LGPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for gnupg-l10n
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name permissive
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name LGPL-3.0
Missing CycloneDX license ID for license name RFC-Reference
Missing CycloneDX license ID for license name TinySCHEME
Missing CycloneDX license ID for license name CC0-1.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for gnupg-utils
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name permissive
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name LGPL-3.0
Missing CycloneDX license ID for license name RFC-Reference
Missing CycloneDX license ID for license name TinySCHEME
Missing CycloneDX license ID for license name CC0-1.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for gnupg
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name permissive
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name LGPL-3.0
Missing CycloneDX license ID for license name RFC-Reference
Missing CycloneDX license ID for license name TinySCHEME
Missing CycloneDX license ID for license name CC0-1.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for gpg-agent
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name permissive
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name LGPL-3.0
Missing CycloneDX license ID for license name RFC-Reference
Missing CycloneDX license ID for license name TinySCHEME
Missing CycloneDX license ID for license name CC0-1.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for gpg-wks-client
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name permissive
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name LGPL-3.0
Missing CycloneDX license ID for license name RFC-Reference
Missing CycloneDX license ID for license name TinySCHEME
Missing CycloneDX license ID for license name CC0-1.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for gpg-wks-server
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name permissive
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name LGPL-3.0
Missing CycloneDX license ID for license name RFC-Reference
Missing CycloneDX license ID for license name TinySCHEME
Missing CycloneDX license ID for license name CC0-1.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for gpg
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name permissive
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name LGPL-3.0
Missing CycloneDX license ID for license name RFC-Reference
Missing CycloneDX license ID for license name TinySCHEME
Missing CycloneDX license ID for license name CC0-1.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for gpgconf
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name permissive
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name LGPL-3.0
Missing CycloneDX license ID for license name RFC-Reference
Missing CycloneDX license ID for license name TinySCHEME
Missing CycloneDX license ID for license name CC0-1.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for gpgsm
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name permissive
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name LGPL-3.0
Missing CycloneDX license ID for license name RFC-Reference
Missing CycloneDX license ID for license name TinySCHEME
Missing CycloneDX license ID for license name CC0-1.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for gpgv
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name permissive
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name LGPL-3.0
Missing CycloneDX license ID for license name RFC-Reference
Missing CycloneDX license ID for license name TinySCHEME
Missing CycloneDX license ID for license name CC0-1.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for grep
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for gzip
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name GFDL-1.3+-no-invariant
Missing CycloneDX license ID for license name FSF-manpages
Missing CycloneDX license ID for license name GFDL-3
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for hostname
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for init-system-helpers
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libacl1
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name LGPL-2.0
Missing CycloneDX license ID for license name LGPL-2.1
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libapt-pkg6.0
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libassuan0
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name GAP~FSF
Missing CycloneDX license ID for license name LGPL-3.0
Missing CycloneDX license ID for license name GPL-2+ with libtool exception
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name GAP
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libattr1
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name LGPL-2.0
Missing CycloneDX license ID for license name LGPL-2.1
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libaudit-common
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name GPL-1.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libaudit1
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name GPL-1.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libblkid1
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name public-domain
Missing CycloneDX license ID for license name BSD-4-Clause
Missing CycloneDX license ID for license name MIT
Missing CycloneDX license ID for license name BSD-2-Clause
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name LGPL-2.0
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name LGPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libbrotli1
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name MIT
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libbsd0
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name BSD-4-clause-Niels-Provos
Missing CycloneDX license ID for license name BSD-4-clause-Christopher-G-Demetriou
Missing CycloneDX license ID for license name BSD-3-clause-Regents
Missing CycloneDX license ID for license name BSD-2-clause-NetBSD
Missing CycloneDX license ID for license name BSD-3-clause-author
Missing CycloneDX license ID for license name BSD-3-clause-John-Birrell
Missing CycloneDX license ID for license name BSD-5-clause-Peter-Wemm
Missing CycloneDX license ID for license name BSD-2-Clause
Missing CycloneDX license ID for license name BSD-2-clause-verbatim
Missing CycloneDX license ID for license name BSD-2-clause-author
Missing CycloneDX license ID for license name ISC
Missing CycloneDX license ID for license name ISC-Original
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name public-domain
Missing CycloneDX license ID for license name Beerware
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libbz2-1.0
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name BSD-variant
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libc-bin
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libc6
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libcap-ng0
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name GPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libcbor0
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name Apache-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libcom-err2
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libcrypt1
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libcurl3-gnutls
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name curl
Missing CycloneDX license ID for license name ISC
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name public-domain
Missing CycloneDX license ID for license name BSD-4-Clause
Missing CycloneDX license ID for license name other
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libcurl4
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name curl
Missing CycloneDX license ID for license name ISC
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name public-domain
Missing CycloneDX license ID for license name BSD-4-Clause
Missing CycloneDX license ID for license name other
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libdb5.3
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libdebconfclient0
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libedit2
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name BSD-3-Clause
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for liberror-perl
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name Artistic
Missing CycloneDX license ID for license name GPL-1.0
Missing CycloneDX license ID for license name MIT/X11
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libexpat1
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name MIT
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libext2fs2
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name LGPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libffi7
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libfido2-1
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name BSD-2-Clause
Missing CycloneDX license ID for license name ISC
Missing CycloneDX license ID for license name public-domain
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libfontconfig1
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libfreetype6
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name FTL
Missing CycloneDX license ID for license name MIT
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name FSFULLR
Missing CycloneDX license ID for license name FSFAP
Missing CycloneDX license ID for license name Permissive
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name FSFUL
Missing CycloneDX license ID for license name Apache-2.0
Missing CycloneDX license ID for license name OFL-1.1
Missing CycloneDX license ID for license name Public-Domain
Missing CycloneDX license ID for license name Zlib
Missing CycloneDX license ID for license name OpenGroup-BSD-like
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libgcc-s1
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libgcrypt20
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name LGPL-3.0
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libgdbm-compat4
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name GFDL-NIV-1.3+
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libgdbm6
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name GFDL-NIV-1.3+
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libgmp10
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name LGPL-3.0
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name GPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libgnutls30
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name LGPL-3.0
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name GFDL-1.3
Missing CycloneDX license ID for license name CC0
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name Apache-2.0
Missing CycloneDX license ID for license name LGPLv3+
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name BSD-3-Clause
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libgpg-error0
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name g10-permissive
Missing CycloneDX license ID for license name GPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libgssapi-krb5-2
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libhogweed6
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name LGPL-3.0
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name LGPL-2.0
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name GPL-3.0-with-autoconf-exception
Missing CycloneDX license ID for license name public-domain
Missing CycloneDX license ID for license name GAP
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libidn2-0
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name LGPL-3.0
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name Unicode
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libk5crypto3
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libkeyutils1
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name LGPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libkrb5-3
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libkrb5support0
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libksba8
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name FSFUL
Missing CycloneDX license ID for license name LGPL-2.1-or-later
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libldap-2.4-2
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for liblz4-1
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name BSD-2-Clause
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for liblzma5
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name PD
Missing CycloneDX license ID for license name probably-PD
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name permissive-fsf
Missing CycloneDX license ID for license name Autoconf
Missing CycloneDX license ID for license name permissive-nowarranty
Missing CycloneDX license ID for license name none
Missing CycloneDX license ID for license name config-h
Missing CycloneDX license ID for license name LGPL-2.0
Missing CycloneDX license ID for license name noderivs
Missing CycloneDX license ID for license name PD-debian
Missing CycloneDX license ID for license name GPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libmd0
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name BSD-3-clause-Aaron-D-Gifford
Missing CycloneDX license ID for license name BSD-2-Clause
Missing CycloneDX license ID for license name BSD-2-clause-NetBSD
Missing CycloneDX license ID for license name ISC
Missing CycloneDX license ID for license name Beerware
Missing CycloneDX license ID for license name public-domain-md4
Missing CycloneDX license ID for license name public-domain-md5
Missing CycloneDX license ID for license name public-domain-sha1
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libmount1
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name public-domain
Missing CycloneDX license ID for license name BSD-4-Clause
Missing CycloneDX license ID for license name MIT
Missing CycloneDX license ID for license name BSD-2-Clause
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name LGPL-2.0
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name LGPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libncurses6
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libncursesw6
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libnettle8
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name LGPL-3.0
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name LGPL-2.0
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name GPL-3.0-with-autoconf-exception
Missing CycloneDX license ID for license name public-domain
Missing CycloneDX license ID for license name GAP
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libnghttp2-14
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name MIT
Missing CycloneDX license ID for license name all-permissive
Missing CycloneDX license ID for license name GPL-3.0-with-autoconf-exception
Missing CycloneDX license ID for license name BSD-2-Clause
Missing CycloneDX license ID for license name SIL-OFL-1.1
Missing CycloneDX license ID for license name GPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libnpth0
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name LGPL-2.1
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libnsl2
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name permissive-fsf
Missing CycloneDX license ID for license name permissive-makefile-in
Missing CycloneDX license ID for license name permissive-autoconf-m4-no-warranty
Missing CycloneDX license ID for license name GPL-3+-autoconf-exception
Missing CycloneDX license ID for license name permissive-configure
Missing CycloneDX license ID for license name GPL-2+-autoconf-exception
Missing CycloneDX license ID for license name MIT
Missing CycloneDX license ID for license name GPL-2+-libtool-exception
Missing CycloneDX license ID for license name permissive-autoconf-m4
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name GPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libp11-kit0
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name permissive-like-automake-output
Missing CycloneDX license ID for license name ISC
Missing CycloneDX license ID for license name ISC+IBM
Missing CycloneDX license ID for license name same-as-rest-of-p11kit
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libpam-modules-bin
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libpam-modules
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libpam-runtime
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libpam0g
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libpcre2-8-0
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libpcre3
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libperl5.32
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-1.0
Missing CycloneDX license ID for license name Artistic
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name REGCOMP
Missing CycloneDX license ID for license name GPL-2.0-with-bison-exception
Missing CycloneDX license ID for license name Unicode
Missing CycloneDX license ID for license name BZIP
Missing CycloneDX license ID for license name Zlib
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name RRA-KEEP-THIS-NOTICE
Missing CycloneDX license ID for license name BSD-3-clause-with-weird-numbering
Missing CycloneDX license ID for license name CC0-1.0
Missing CycloneDX license ID for license name TEXT-TABS
Missing CycloneDX license ID for license name BSD-4-clause-POWERDOG
Missing CycloneDX license ID for license name BSD-3-clause-GENERIC
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name SDBM-PUBLIC-DOMAIN
Missing CycloneDX license ID for license name DONT-CHANGE-THE-GPL
Missing CycloneDX license ID for license name Artistic-dist
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name Artistic-2
Missing CycloneDX license ID for license name HSIEH-DERIVATIVE
Missing CycloneDX license ID for license name HSIEH-BSD
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libpng16-16
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name libpng
Missing CycloneDX license ID for license name expat
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name BSD-like-with-advertising-clause
Missing CycloneDX license ID for license name libpng OR Apache-2.0 OR BSD-3-clause
Missing CycloneDX license ID for license name Apache-2.0
Missing CycloneDX license ID for license name BSD-3-Clause
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libprocps8
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name LGPL-2.0
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libpsl5
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name MIT
Missing CycloneDX license ID for license name Chromium
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libreadline8
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name GFDL
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for librtmp1
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name LGPL-2.1
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libsasl2-2
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name BSD-4-Clause
Missing CycloneDX license ID for license name GPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libsasl2-modules-db
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name BSD-4-Clause
Missing CycloneDX license ID for license name GPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libseccomp2
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name LGPL-2.1
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libselinux1
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libsemanage-common
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name LGPL-3.0
Missing CycloneDX license ID for license name GPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libsemanage1
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name LGPL-3.0
Missing CycloneDX license ID for license name GPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libsepol1
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name LGPL-3.0
Missing CycloneDX license ID for license name GPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libsmartcols1
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name public-domain
Missing CycloneDX license ID for license name BSD-4-Clause
Missing CycloneDX license ID for license name MIT
Missing CycloneDX license ID for license name BSD-2-Clause
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name LGPL-2.0
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name LGPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libsqlite3-0
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name public-domain
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libss2
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libssh2-1
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name BSD3
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libssl1.1
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libstdc++6
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libsystemd0
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name CC0-1.0
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name GPL-2 with Linux-syscall-note exception
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name public-domain
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libtasn1-6
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name LGPL-3.0
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name GFDL-1.3
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libtinfo6
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name MIT/X11
Missing CycloneDX license ID for license name X11
Missing CycloneDX license ID for license name BSD-3-Clause
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libtirpc-common
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name __AUTO_PERMISSIVE__
Missing CycloneDX license ID for license name BSD-2-Clause
Missing CycloneDX license ID for license name BSD-4-Clause
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name PERMISSIVE
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libtirpc3
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name __AUTO_PERMISSIVE__
Missing CycloneDX license ID for license name BSD-2-Clause
Missing CycloneDX license ID for license name BSD-4-Clause
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name PERMISSIVE
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libudev1
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name CC0-1.0
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name GPL-2 with Linux-syscall-note exception
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name public-domain
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libunistring2
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name LGPL-3.0
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name FreeSoftware
Missing CycloneDX license ID for license name GPL-2+ with distribution exception
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name GFDL-1.2+
Missing CycloneDX license ID for license name MIT
Missing CycloneDX license ID for license name GFDL-1.2
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libuuid1
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name public-domain
Missing CycloneDX license ID for license name BSD-4-Clause
Missing CycloneDX license ID for license name MIT
Missing CycloneDX license ID for license name BSD-2-Clause
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name LGPL-2.0
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name LGPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libxxhash0
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name BSD-2-Clause
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for libzstd1
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name Zlib
Missing CycloneDX license ID for license name Expat
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for login
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for logsave
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name LGPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for lsb-base
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name BSD-3-Clause
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for mawk
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for mount
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name public-domain
Missing CycloneDX license ID for license name BSD-4-Clause
Missing CycloneDX license ID for license name MIT
Missing CycloneDX license ID for license name BSD-2-Clause
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name LGPL-2.0
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name LGPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for ncurses-base
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name MIT/X11
Missing CycloneDX license ID for license name X11
Missing CycloneDX license ID for license name BSD-3-Clause
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for ncurses-bin
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name MIT/X11
Missing CycloneDX license ID for license name X11
Missing CycloneDX license ID for license name BSD-3-Clause
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for openssh-client
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name OpenSSH
Missing CycloneDX license ID for license name Mazieres-BSD-style
Missing CycloneDX license ID for license name public-domain
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name Beer-ware
Missing CycloneDX license ID for license name Powell-BSD-style
Missing CycloneDX license ID for license name Expat-with-advertising-restriction
Missing CycloneDX license ID for license name BSD-2-Clause
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for openssl
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for passwd
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for perl-base
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-1.0
Missing CycloneDX license ID for license name Artistic
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name REGCOMP
Missing CycloneDX license ID for license name GPL-2.0-with-bison-exception
Missing CycloneDX license ID for license name Unicode
Missing CycloneDX license ID for license name BZIP
Missing CycloneDX license ID for license name Zlib
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name RRA-KEEP-THIS-NOTICE
Missing CycloneDX license ID for license name BSD-3-clause-with-weird-numbering
Missing CycloneDX license ID for license name CC0-1.0
Missing CycloneDX license ID for license name TEXT-TABS
Missing CycloneDX license ID for license name BSD-4-clause-POWERDOG
Missing CycloneDX license ID for license name BSD-3-clause-GENERIC
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name SDBM-PUBLIC-DOMAIN
Missing CycloneDX license ID for license name DONT-CHANGE-THE-GPL
Missing CycloneDX license ID for license name Artistic-dist
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name Artistic-2
Missing CycloneDX license ID for license name HSIEH-DERIVATIVE
Missing CycloneDX license ID for license name HSIEH-BSD
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for perl-modules-5.32
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-1.0
Missing CycloneDX license ID for license name Artistic
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name REGCOMP
Missing CycloneDX license ID for license name GPL-2.0-with-bison-exception
Missing CycloneDX license ID for license name Unicode
Missing CycloneDX license ID for license name BZIP
Missing CycloneDX license ID for license name Zlib
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name RRA-KEEP-THIS-NOTICE
Missing CycloneDX license ID for license name BSD-3-clause-with-weird-numbering
Missing CycloneDX license ID for license name CC0-1.0
Missing CycloneDX license ID for license name TEXT-TABS
Missing CycloneDX license ID for license name BSD-4-clause-POWERDOG
Missing CycloneDX license ID for license name BSD-3-clause-GENERIC
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name SDBM-PUBLIC-DOMAIN
Missing CycloneDX license ID for license name DONT-CHANGE-THE-GPL
Missing CycloneDX license ID for license name Artistic-dist
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name Artistic-2
Missing CycloneDX license ID for license name HSIEH-DERIVATIVE
Missing CycloneDX license ID for license name HSIEH-BSD
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for perl
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-1.0
Missing CycloneDX license ID for license name Artistic
Missing CycloneDX license ID for license name Expat
Missing CycloneDX license ID for license name REGCOMP
Missing CycloneDX license ID for license name GPL-2.0-with-bison-exception
Missing CycloneDX license ID for license name Unicode
Missing CycloneDX license ID for license name BZIP
Missing CycloneDX license ID for license name Zlib
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name RRA-KEEP-THIS-NOTICE
Missing CycloneDX license ID for license name BSD-3-clause-with-weird-numbering
Missing CycloneDX license ID for license name CC0-1.0
Missing CycloneDX license ID for license name TEXT-TABS
Missing CycloneDX license ID for license name BSD-4-clause-POWERDOG
Missing CycloneDX license ID for license name BSD-3-clause-GENERIC
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name SDBM-PUBLIC-DOMAIN
Missing CycloneDX license ID for license name DONT-CHANGE-THE-GPL
Missing CycloneDX license ID for license name Artistic-dist
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name Artistic-2
Missing CycloneDX license ID for license name HSIEH-DERIVATIVE
Missing CycloneDX license ID for license name HSIEH-BSD
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for pinentry-curses
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name X11
Missing CycloneDX license ID for license name LGPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for procps
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name LGPL-2.0
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for readline-common
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name GFDL
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for sed
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for sensible-utils
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name All-permissive
Missing CycloneDX license ID for license name configure
Missing CycloneDX license ID for license name installsh
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for sysvinit-utils
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for tar
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for tini
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name Expat
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for tzdata
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for ucf
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for unzip
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for util-linux
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name GPL-2.0
Missing CycloneDX license ID for license name public-domain
Missing CycloneDX license ID for license name BSD-4-Clause
Missing CycloneDX license ID for license name MIT
Missing CycloneDX license ID for license name BSD-2-Clause
Missing CycloneDX license ID for license name BSD-3-Clause
Missing CycloneDX license ID for license name LGPL-2.0
Missing CycloneDX license ID for license name LGPL-2.1
Missing CycloneDX license ID for license name GPL-3.0
Missing CycloneDX license ID for license name LGPL-3.0
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
Missing required SHA1 Checksum for zlib1g
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
Missing CycloneDX license ID for license name Zlib
Supplier is assumed to be an organization
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.
From dependency component ref does not exist: pkg:oci/jenkins@sha256%3Adf7499d28f440e023dae0204c8e9ef8a1fd9ee8b8040c35724d7745bbdb61674?arch=amd64&repository_url=index.docker.io%2Fjenkins%2Fjenkins
Missing required SHA1 Checksum for jenkins/jenkins:latest
SPDX does not support property or property value componentType for SPDX type Package. An annotation was added to the element to capture this information.
SPDX does not support property or property value properites for SPDX type Package. An annotation was added to the element to capture this information.BOM Squad - SBOM convert
BOM-Squad has developed SBOM-convert, a tool designed to transition between different SBOM formats. However, when attempting a full round-trip conversion — from SPDX to CycloneDx and back to SPDX — I found that much of the data was lost in the process.
While all external reference locators were lost, the PURL remained intact. The name, version, and checksums also persevered. Unfortunately, all licensing information was stripped away. Attributes such as download location and filesAnalyzed persisted, although they were originally empty. An additional attribute, primaryPackagePurpose, was introduced and was set to 'application'.
Interestingly, the licensing details were omitted during the initial transition to CycloneDx, while most of the other attributes, such as the CPEs, vanished during the subsequent conversion back to SPDX.
As a result of this conversion process, while vulnerability checks might still function, conducting licensing checks would pose challenges unless there's an alternative source available to replenish the lost data.
SPDX to CycloneDx (Round Trip) | Click to expand
Command:
~/Downloads/sbom-convert convert original.syft.spdx.json -o converted.bySbomConvert.cdx.jsonInput:
{
"name": "commons-compress",
"SPDXID": "SPDXRef-Package-java-archive-commons-compress-591e913d9a6a50d4",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc"
}
],
"sourceInfo": "acquired package info from installed java archive: /usr/share/jenkins/jenkins.war",
"versionInfo": "1.23.0",
"externalRefs": [
{
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:commons-compress:1.23.0:*:*:*:*:*:*:*",
"referenceCategory": "SECURITY"
},
{
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:commons_compress:1.23.0:*:*:*:*:*:*:*",
"referenceCategory": "SECURITY"
},
{
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:compress:1.23.0:*:*:*:*:*:*:*",
"referenceCategory": "SECURITY"
},
{
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:commons:1.23.0:*:*:*:*:*:*:*",
"referenceCategory": "SECURITY"
},
{
"referenceType": "purl",
"referenceLocator": "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"referenceCategory": "PACKAGE-MANAGER"
}
],
"copyrightText": "NOASSERTION",
"filesAnalyzed": false,
"licenseDeclared": "LicenseRef-https---www.apache.org-licenses-LICENSE-2.0.txt",
"downloadLocation": "NOASSERTION",
"licenseConcluded": "NOASSERTION"
}Output:
{
"bom-ref": "Package-java-archive-commons-compress-2e1986ad08a727ce",
"type": "application",
"name": "commons-compress",
"version": "1.23.0",
"hashes": [
{
"alg": "SHA-1",
"content": "4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc"
}
],
"purl": "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"externalReferences": [
{
"url": "cpe:2.3:a:apache:commons-compress:1.23.0:*:*:*:*:*:*:*",
"type": "cpe23Type"
},
{
"url": "cpe:2.3:a:apache:commons_compress:1.23.0:*:*:*:*:*:*:*",
"type": "cpe23Type"
},
{
"url": "cpe:2.3:a:apache:compress:1.23.0:*:*:*:*:*:*:*",
"type": "cpe23Type"
},
{
"url": "cpe:2.3:a:apache:commons:1.23.0:*:*:*:*:*:*:*",
"type": "cpe23Type"
}
]
}Log output | Click to expand
```text INFO[0000] Serializing to application/vnd.cyclonedx+json;version=1.4 WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost WARN[0000] node Package-deb-git-lfs-298741ae8bc24fd7 is related with other to 1 other nodes, data will be lost ```Round Trip:
{
"name": "commons-compress",
"SPDXID": "SPDXRef-Package-java-archive-commons-compress-2e1986ad08a727ce",
"versionInfo": "1.23.0",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc"
}
],
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:maven/org.apache.commons/commons-compress@1.23.0"
}
],
"primaryPackagePurpose": "application"
}Roundtrip comparison
The results are consistent when the conversion process is reversed. Starting from CycloneDx to SPDX and then back to CycloneDx, a significant amount of data is lost. Only one PURL and one CPE remain, accompanied by the name and version. Regrettably, all licensing information has been eradicated. As before, the majority of the data was lost during the initial conversion step.
CycloneDx to SPDX (Round Trip) | Click to expand
Command:
~/Downloads/sbom-convert convert original.syft.cdx.json -o converted.bySbomConvert.spdx.jsonInput:
{
"cpe": "cpe:2.3:a:apache:commons-compress:1.23.0:*:*:*:*:*:*:*",
"name": "commons-compress",
"purl": "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"type": "library",
"group": "org.apache.commons",
"bom-ref": "pkg:maven/org.apache.commons/commons-compress@1.23.0?package-id=591e913d9a6a50d4",
"version": "1.23.0",
"licenses": [
{
"license": {
"name": "https://www.apache.org/licenses/LICENSE-2.0.txt"
}
}
],
"properties": [
{
"name": "syft:package:foundBy",
"value": "java-cataloger"
},
{
"name": "syft:package:language",
"value": "java"
},
{
"name": "syft:package:metadataType",
"value": "JavaMetadata"
},
{
"name": "syft:package:type",
"value": "java-archive"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:apache:commons_compress:1.23.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:apache:compress:1.23.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:apache:commons:1.23.0:*:*:*:*:*:*:*"
},
{
"name": "syft:location:0:layerID",
"value": "sha256:bd8ae0684ddd240c1d7c24eb2b35b1f266d21bd86beb23cd7dcee7151c918dc6"
},
{
"name": "syft:location:0:path",
"value": "/usr/share/jenkins/jenkins.war"
},
{
"name": "syft:metadata:-:artifactID",
"value": "commons-compress"
},
{
"name": "syft:metadata:-:groupID",
"value": "org.apache.commons"
},
{
"name": "syft:metadata:virtualPath",
"value": "/usr/share/jenkins/jenkins.war:WEB-INF/lib/commons-compress-1.23.0.jar"
}
],
"externalReferences": [
{
"url": "",
"type": "build-meta",
"hashes": [
{
"alg": "SHA-1",
"content": "4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc"
}
]
}
]
}Output:
{
"name": "commons-compress",
"SPDXID": "SPDXRef-pkg:maven/org.apache.commons/commons-compress@1.23.0?package-id=2e1986ad08a727ce",
"versionInfo": "1.23.0",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"externalRefs": [
{
"referenceCategory": "OTHER",
"referenceType": "cpe23",
"referenceLocator": "cpe:2.3:a:apache:commons-compress:1.23.0:*:*:*:*:*:*:*"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:maven/org.apache.commons/commons-compress@1.23.0"
}
],
"primaryPackagePurpose": "library"
}Round Trip:
{
"bom-ref": "pkg:maven/org.apache.commons/commons-compress@1.23.0?package-id=2e1986ad08a727ce",
"type": "library",
"name": "commons-compress",
"version": "1.23.0",
"purl": "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"externalReferences": [
{
"url": "cpe:2.3:a:apache:commons-compress:1.23.0:*:*:*:*:*:*:*",
"type": "cpe23"
}
]
}Roundtrip comparison
Syft
Although Syft mentions on their readme page that conversion is an experimental feature, their results are arguably some of the best. While the round trip isn't flawless, the core information undergoes conversion in some form. Only specific details are absent. This includes the checksum algorithm and the path to the source info of the jenkins.war. Additionally, the filesAnalyzed field is missing. However, the preservation of all other information is genuinely commendable and impressive.
SPDX to CycloneDx (Round Trip) | Click to expand
Command:
syft convert original.syft.spdx.json -o cyclonedx-json=converted.bySyft.toCdx.jsonInput:
{
"name": "commons-compress",
"SPDXID": "SPDXRef-Package-java-archive-commons-compress-591e913d9a6a50d4",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc"
}
],
"sourceInfo": "acquired package info from installed java archive: /usr/share/jenkins/jenkins.war",
"versionInfo": "1.23.0",
"externalRefs": [
{
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:commons-compress:1.23.0:*:*:*:*:*:*:*",
"referenceCategory": "SECURITY"
},
{
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:commons_compress:1.23.0:*:*:*:*:*:*:*",
"referenceCategory": "SECURITY"
},
{
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:compress:1.23.0:*:*:*:*:*:*:*",
"referenceCategory": "SECURITY"
},
{
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:commons:1.23.0:*:*:*:*:*:*:*",
"referenceCategory": "SECURITY"
},
{
"referenceType": "purl",
"referenceLocator": "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"referenceCategory": "PACKAGE-MANAGER"
}
],
"copyrightText": "NOASSERTION",
"filesAnalyzed": false,
"licenseDeclared": "LicenseRef-https---www.apache.org-licenses-LICENSE-2.0.txt",
"downloadLocation": "NOASSERTION",
"licenseConcluded": "NOASSERTION"
}Output:
{
"bom-ref": "pkg:maven/org.apache.commons/commons-compress@1.23.0?package-id=218cd71a5496eeb9",
"type": "library",
"name": "commons-compress",
"version": "1.23.0",
"licenses": [
{
"license": {
"name": "LicenseRef-https---www.apache.org-licenses-LICENSE-2.0.txt"
}
}
],
"cpe": "cpe:2.3:a:apache:commons-compress:1.23.0:*:*:*:*:*:*:*",
"purl": "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"externalReferences": [
{
"url": "",
"hashes": [
{
"alg": "",
"content": "4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc"
}
],
"type": "build-meta"
}
],
"properties": [
{
"name": "syft:package:language",
"value": "java"
},
{
"name": "syft:package:metadataType",
"value": "JavaMetadata"
},
{
"name": "syft:package:type",
"value": "java-archive"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:apache:commons_compress:1.23.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:apache:compress:1.23.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:apache:commons:1.23.0:*:*:*:*:*:*:*"
}
]
}Round Trip
{
"name": "commons-compress",
"SPDXID": "SPDXRef-Package-java-archive-commons-compress-218cd71a5496eeb9",
"versionInfo": "1.23.0",
"downloadLocation": "NOASSERTION",
"checksums": [
{
"algorithm": "",
"checksumValue": "4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc"
}
],
"sourceInfo": "acquired package info from installed java archive: ",
"licenseConcluded": "LicenseRef-LicenseRef-https---www.apache.org-licenses-LICENSE-2.0.txt",
"licenseDeclared": "LicenseRef-LicenseRef-https---www.apache.org-licenses-LICENSE-2.0.txt",
"copyrightText": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:commons-compress:1.23.0:*:*:*:*:*:*:*"
},
{
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:commons_compress:1.23.0:*:*:*:*:*:*:*"
},
{
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:compress:1.23.0:*:*:*:*:*:*:*"
},
{
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:commons:1.23.0:*:*:*:*:*:*:*"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:maven/org.apache.commons/commons-compress@1.23.0"
}
]
}Roundtrip Comparation
Conversely, when converting from CycloneDx to SPDX and back to CycloneDx using Syft, some data was lost. Notably, some properties were omitted, the 'group' field disappeared, and once again, the algorithm for the hash was absent.
However, in both scenarios, Syft successfully retained a majority of the data through the conversions. Consequently, use cases like vulnerability checks for dependencies and license evaluations should remain operational and efficient.
CycloneDx to SPDX (Round Trip) | Click to expand
Command:
syft convert original.syft.cdx.json -o spdx-json=converted.bySyft.toSpdx.jsonInput:
{
"cpe": "cpe:2.3:a:apache:commons-compress:1.23.0:*:*:*:*:*:*:*",
"name": "commons-compress",
"purl": "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"type": "library",
"group": "org.apache.commons",
"bom-ref": "pkg:maven/org.apache.commons/commons-compress@1.23.0?package-id=591e913d9a6a50d4",
"version": "1.23.0",
"licenses": [
{
"license": {
"name": "https://www.apache.org/licenses/LICENSE-2.0.txt"
}
}
],
"properties": [
{
"name": "syft:package:foundBy",
"value": "java-cataloger"
},
{
"name": "syft:package:language",
"value": "java"
},
{
"name": "syft:package:metadataType",
"value": "JavaMetadata"
},
{
"name": "syft:package:type",
"value": "java-archive"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:apache:commons_compress:1.23.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:apache:compress:1.23.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:apache:commons:1.23.0:*:*:*:*:*:*:*"
},
{
"name": "syft:location:0:layerID",
"value": "sha256:bd8ae0684ddd240c1d7c24eb2b35b1f266d21bd86beb23cd7dcee7151c918dc6"
},
{
"name": "syft:location:0:path",
"value": "/usr/share/jenkins/jenkins.war"
},
{
"name": "syft:metadata:-:artifactID",
"value": "commons-compress"
},
{
"name": "syft:metadata:-:groupID",
"value": "org.apache.commons"
},
{
"name": "syft:metadata:virtualPath",
"value": "/usr/share/jenkins/jenkins.war:WEB-INF/lib/commons-compress-1.23.0.jar"
}
],
"externalReferences": [
{
"url": "",
"type": "build-meta",
"hashes": [
{
"alg": "SHA-1",
"content": "4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc"
}
]
}
]
}Output:
{
"name": "commons-compress",
"SPDXID": "SPDXRef-Package-java-archive-commons-compress-de78bfdef0a5c5b3",
"versionInfo": "1.23.0",
"downloadLocation": "NOASSERTION",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc"
}
],
"sourceInfo": "acquired package info from installed java archive: /usr/share/jenkins/jenkins.war",
"licenseConcluded": "LicenseRef-https---www.apache.org-licenses-LICENSE-2.0.txt",
"licenseDeclared": "LicenseRef-https---www.apache.org-licenses-LICENSE-2.0.txt",
"copyrightText": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:commons-compress:1.23.0:*:*:*:*:*:*:*"
},
{
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:commons_compress:1.23.0:*:*:*:*:*:*:*"
},
{
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:compress:1.23.0:*:*:*:*:*:*:*"
},
{
"referenceCategory": "SECURITY",
"referenceType": "cpe23Type",
"referenceLocator": "cpe:2.3:a:apache:commons:1.23.0:*:*:*:*:*:*:*"
},
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:maven/org.apache.commons/commons-compress@1.23.0"
}
]
}Round Trip
{
"bom-ref": "pkg:maven/org.apache.commons/commons-compress@1.23.0?package-id=218cd71a5496eeb9",
"type": "library",
"name": "commons-compress",
"version": "1.23.0",
"licenses": [
{
"license": {
"name": "LicenseRef-https---www.apache.org-licenses-LICENSE-2.0.txt"
}
}
],
"cpe": "cpe:2.3:a:apache:commons-compress:1.23.0:*:*:*:*:*:*:*",
"purl": "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"externalReferences": [
{
"url": "",
"hashes": [
{
"alg": "",
"content": "4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc"
}
],
"type": "build-meta"
}
],
"properties": [
{
"name": "syft:package:language",
"value": "java"
},
{
"name": "syft:package:metadataType",
"value": "JavaMetadata"
},
{
"name": "syft:package:type",
"value": "java-archive"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:apache:commons_compress:1.23.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:apache:compress:1.23.0:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:apache:commons:1.23.0:*:*:*:*:*:*:*"
}
]
}Roundtrip comparison
Syft with Trivys Data
To ensure that Syft isn't just excelling with its own data, which might naturally be easier for it to process, I took a different approach. I generated the same SBOM for the Jenkins docker container using Trivy in both CycloneDx and SPDX formats to assess how Syft manages them.
During the conversion process from SPDX to CycloneDx and back, Syft did overlook some elements that might be foreign to its processing. Fields like 'supplier', 'attributionText', and 'primaryPackagePurpose' were absent. Although none of these fields contain critical information, their inclusion would be preferable. Additionally, 'CopyrightText' and 'downloadLocation' values shifted from being empty or labeled as 'NONE' to 'NOASSERTION'. Interestingly, Syft introduced the 'source Info' field.
SPDX to CycloneDx (Round Trip) | Click to expand
Command:
syft convert original.trivy.spdx.json -o cyclonedx-json=trivy.converted.bySyft.toCdx.jsonInput:
{
"name" : "org.apache.commons:commons-compress",
"SPDXID" : "SPDXRef-Package-cfaa6639945e87ae",
"supplier" : "NOASSERTION",
"versionInfo" : "1.23.0",
"externalRefs" : [ {
"referenceType" : "purl",
"referenceLocator" : "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"referenceCategory" : "PACKAGE-MANAGER"
} ],
"copyrightText" : "",
"licenseDeclared" : "NONE",
"attributionTexts" : [ "LayerDiffID: sha256:bd8ae0684ddd240c1d7c24eb2b35b1f266d21bd86beb23cd7dcee7151c918dc6" ],
"downloadLocation" : "NONE",
"licenseConcluded" : "NONE",
"primaryPackagePurpose" : "LIBRARY"
}Output:
{
"bom-ref": "pkg:maven/org.apache.commons/commons-compress@1.23.0?package-id=7fd71aa09062b2e7",
"type": "library",
"name": "org.apache.commons:commons-compress",
"version": "1.23.0",
"purl": "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"properties": [
{
"name": "syft:package:language",
"value": "java"
},
{
"name": "syft:package:metadataType",
"value": "JavaMetadata"
},
{
"name": "syft:package:type",
"value": "java-archive"
}
]
}Round Trip
{
"name": "org.apache.commons:commons-compress",
"SPDXID": "SPDXRef-Package-java-archive-org.apache.commons-commons-compress-7fd71aa09062b2e7",
"versionInfo": "1.23.0",
"downloadLocation": "NOASSERTION",
"sourceInfo": "acquired package info from installed java archive: ",
"licenseConcluded": "NONE",
"licenseDeclared": "NONE",
"copyrightText": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:maven/org.apache.commons/commons-compress@1.23.0"
}
]
}Roundtrip Comparison
When converting in the reverse direction, Syft once again omitted the 'group' field. The properties also underwent significant modifications. Although the number of properties remained consistent, their quality diminished. Interestingly, in the properties section, all the 'aquasecurity' labels were swapped out for 'syft'. While this outcome might not be as optimal as the SPDX round trip, the results are still very reasonable.
CycloneDx to SPDX (Round Trip) | Click to expand
Command:
syft convert original.trivy.cdx.json -o spdx-json=trivy.converted.bySyft.toSpdx.jsonInput:
{
"name" : "commons-compress",
"purl" : "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"type" : "library",
"group" : "org.apache.commons",
"bom-ref" : "pkg:maven/org.apache.commons/commons-compress@1.23.0?file_path=usr%2Fshare%2Fjenkins%2Fjenkins.war%2FWEB-INF%2Flib%2Fcommons-compress-1.23.0.jar",
"version" : "1.23.0",
"properties" : [ {
"name" : "aquasecurity:trivy:FilePath",
"value" : "usr/share/jenkins/jenkins.war/WEB-INF/lib/commons-compress-1.23.0.jar"
}, {
"name" : "aquasecurity:trivy:LayerDiffID",
"value" : "sha256:bd8ae0684ddd240c1d7c24eb2b35b1f266d21bd86beb23cd7dcee7151c918dc6"
}, {
"name" : "aquasecurity:trivy:PkgType",
"value" : "jar"
} ]
}Output:
{
"name": "commons-compress",
"SPDXID": "SPDXRef-Package-java-archive-commons-compress-a96a520872d46711",
"versionInfo": "1.23.0",
"downloadLocation": "NOASSERTION",
"sourceInfo": "acquired package info from installed java archive: ",
"licenseConcluded": "NONE",
"licenseDeclared": "NONE",
"copyrightText": "NOASSERTION",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:maven/org.apache.commons/commons-compress@1.23.0"
}
]
}Round Trip
{
"bom-ref": "pkg:maven/org.apache.commons/commons-compress@1.23.0?package-id=581ce77f7e8c152d",
"type": "library",
"name": "commons-compress",
"version": "1.23.0",
"purl": "pkg:maven/org.apache.commons/commons-compress@1.23.0",
"properties": [
{
"name": "syft:package:language",
"value": "java"
},
{
"name": "syft:package:metadataType",
"value": "JavaMetadata"
},
{
"name": "syft:package:type",
"value": "java-archive"
}
]
}Roundtrip Comparison
Conclusion
Converting an SBOM is a risky thing. Doing so will reduce the quality of the data. All tools did so. It's best to generate the SBOMs in the output format you need. Most of the tooling supports both. I only looked at one dependency while converting in this post, but actually, there are a lot more things happening while converting an SBOM.
If you have to convert an SBOM, you might check out the results from several of these tools. Normally I don't take sides, but while Syft is still claiming that the conversion feature is experimental, you might get the best results from them. Also, they support several of the diffrent versions from SPDX and CycloneDx, which has proven very helpful for my work so far.