Hello,
I was trying to convert an spdx-json generated by Trivy (Harbor scanner) to CycloneDX format using cyclonedx-cli, but it resulted in an error related to the "primaryPackagePurpose" field having a value of "OPERATING-SYSTEM". Replacing "OPERATING-SYSTEM" with "OPERATING_SYSTEM" in the spdx-json file allowed me to convert the file successfully.
OS version: Mac OS 26.2 on an M1 system.
CycloneDX CLI version: 0.29.2
I expected cyclonedx-cli to convert the spdx-json to cyclonedx-json without errors, but it failed with an error. I used nginx:1.29.4 just as an example image.
SPDX spec tells that among the allowed values there is "OPERATING-SYSTEM".
This issue would probably be easily fixed in file PrimaryPackagePurposeType.cs by adding "OPERATING-SYSTEM" as a valid enum value. Same kind of issue is fixed here related to issue #267.
How to reproduce:
# create spdx-json with Trivy scanner
docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock -v "$(pwd):/data" aquasec/trivy:0.69.1 image --format spdx-json --output /data/spdx-sbom.json nginx:1.29.4
# output omitted
cyclonedx convert --input-format spdxjson --input-file spdx-sbom.json --output-format json --output-file cyclonedx-sbom.json
# results in an error
Unhandled exception: System.Text.Json.JsonException: The JSON value could not be converted to System.Nullable`1[CycloneDX.Spdx.Models.v2_3.PrimaryPackagePurposeType]. Path: $.packages[152].primaryPackagePurpose | LineNumber: 0 | BytePositionInLine: 261540.
at System.Text.Json.ThrowHelper.ThrowJsonException(String message)
at System.Text.Json.Serialization.Converters.EnumConverter`1.ReadEnumUsingNamingPolicy(String enumString)
at System.Text.Json.Serialization.Converters.EnumConverter`1.Read(Utf8JsonReader& reader, Type typeToConvert, JsonSerializerOptions options)
...
# this kind of "package" seems to be the problem
jq '.packages[] | select(.primaryPackagePurpose=="OPERATING-SYSTEM")' spdx-sbom.json
{
"name": "debian",
"primaryPackagePurpose": "OPERATING-SYSTEM",
... # rest omitted
# temporary fix with sed
sed 's/OPERATING-SYSTEM/OPERATING_SYSTEM/g' spdx-sbom.json > spdx-sbom-fixed.json
# now converting worked, output omitted.
cyclonedx convert --input-format spdxjson --input-file spdx-sbom-fixed.json --output-format json --output-file cyclonedx-sbom.json
ls -la cyclonedx-sbom.json
-rw-r--r-- 1 xyz staff 384286 Feb 5 15:17 cyclonedx-sbom.jsonThank you in advance!
Hello,
I was trying to convert an spdx-json generated by Trivy (Harbor scanner) to CycloneDX format using cyclonedx-cli, but it resulted in an error related to the "primaryPackagePurpose" field having a value of "OPERATING-SYSTEM". Replacing "OPERATING-SYSTEM" with "OPERATING_SYSTEM" in the spdx-json file allowed me to convert the file successfully.
OS version: Mac OS 26.2 on an M1 system.
CycloneDX CLI version: 0.29.2
I expected cyclonedx-cli to convert the spdx-json to cyclonedx-json without errors, but it failed with an error. I used nginx:1.29.4 just as an example image.
SPDX spec tells that among the allowed values there is "OPERATING-SYSTEM".
This issue would probably be easily fixed in file PrimaryPackagePurposeType.cs by adding "OPERATING-SYSTEM" as a valid enum value. Same kind of issue is fixed here related to issue #267.
How to reproduce:
Thank you in advance!