Commit 3b3d587
spdx-schema-v2.3.json: fix OPERATING-SYSTEM package intent
For Wolfi container at cgr.dev/chainguard/wolfi-base, trivy for spdx json SBOM generates
```json
{
"name": "wolfi",
"SPDXID": "SPDXRef-OperatingSystem-2bccf727fe0bc7f8",
"versionInfo": "20230201",
"downloadLocation": "NONE",
"filesAnalyzed": false,
"primaryPackagePurpose": "OPERATING-SYSTEM",
"annotations": [
{
"annotator": "Tool: trivy-0.62.1",
"annotationDate": "2025-05-28T17:07:25Z",
"annotationType": "OTHER",
"comment": "Class: os-pkgs"
},
{
"annotator": "Tool: trivy-0.62.1",
"annotationDate": "2025-05-28T17:07:25Z",
"annotationType": "OTHER",
"comment": "Type: wolfi"
}
]
}
```
Which fails validating with tools-java because "OPERATING-SYSTEM" value is with a dash, which matches the spec at https://spdx.github.io/spdx-spec/v2.3/package-information/#724-primary-package-purpose-field
Given tools in wild follow the spec, imho it is relatively safe to update the schema here.
Note we have PACKAGE_MANAGER PACKAGE-MANAGER saga before, so do help
me validating any other tools that might be impacted, so far I see
this schema file being the only one out of line.1 parent 3117fa4 commit 3b3d587
1 file changed
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
413 | 413 | | |
414 | 414 | | |
415 | 415 | | |
416 | | - | |
| 416 | + | |
417 | 417 | | |
418 | 418 | | |
419 | 419 | | |
| |||
0 commit comments