Syft upgrade causes SPDX format specVersion mismatch #342
Comments
|
@hermankruger do you mean CycloneDX from 1.5 --> 1.6? SPDX is currently 2.x Let me try and get this reproduced on my local and see where the error might be occuring for SBOM --> Scan Action with the new releases. It might be as easy as updating the config to specify the version of the document you want, but I agree the default flow should "just work" There would be an issue if you did not update both actions to the latest versions and had pinned scan-action back to Is it possible to update scan action as well? If not is it possible to update the sbom-action config to generate the correct version of cyclone-dx the scan action expects ( |
|
@spiffcs, thanks for the timely feedback :) What has happened is a combination of I will now update to From a https://semver.org/ point of view it would be good to bump breaking changes on both, however I do realize bumping 0 (zero) has implications. This has been a breaking change that no one would have expected using v0 with v3. |
|
@hermankruger Yep! Give those two actions an upgrade to their latest versions. If you run into any issues still let me know by filling and tagging me on an issue on either repo and I'll take a look |
|
I'm closing this because it seems like it doesn't affect the latest versions of the actions. If we've missed something, please let us know. |
With release https://github.com/anchore/sbom-action/releases/tag/v0.17.0 on the https://github.com/anchore/sbom-action the Syft version was updated, which in turn updated the SPDX format specVersion from 1.5 to 1.6.
If you then invoke the https://github.com/anchore/scan-action with the generated sbom, the
scan-actionthen downloads the grype DB for version 1.5 which is incompatible with 1.6 and an error is thrown.The https://github.com/anchore/scan-action#scanning-an-sbom-file step in the readme won't succeed currently.
The text was updated successfully, but these errors were encountered: