Facing issues while converting SPDX SBOM to Cyclone DX SBOM format for me to use in Dependency track #5210
Gowtham-Rangasamy
started this conversation in
General
Facing issues while converting SPDX SBOM to Cyclone DX SBOM format for me to use in Dependency track
#5210
Replies: 2 comments
-
|
Edited your post to use code blocks so the XML is rendered properly. Can you share the exact CycloneDX SBOM in XML format that you're uploading to DT? Please redact any internal information as necessary. |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Hi @nscuro, Thanks for your repsonse. <?xml version="1.0" encoding="utf-8"?>
<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://cyclonedx.org/schema/bom/1.6">
<metadata>
<timestamp>2025-08-04T16:26:57Z</timestamp>
<tools>
<tool>
<name>protobom-v0.0.0-20250731140552</name>
<version>613e75aeb253+dirty</version>
</tool>
<tool>
<name>GitHub.com-Dependency</name>
<version>Graph</version>
</tool>
</tools>
<properties>
<property name="spdx:spdxid">SPDXRef-DOCUMENT</property>
<property name="spdx:document:spdx-version">SPDX-2.3</property>
<property name="spdx:document:name">com.github.internal/Apps</property>
<property name="spdx:document:document-namespace">https://spdx.org/spdxdocs/protobom/4028157f-db39-4f81-ad62-68170caf4fa6</property>
</properties>
</metadata>
<components>
<component type="library">
<name>Microsoft.Azure.WebJobs.Extensions.Storage</name>
<version>5.0.1</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Microsoft.Azure.WebJobs.Extensions.Storage-5.0.1-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>Microsoft.CodeAnalysis.Metrics</name>
<version>3.3.4</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>(c) Microsoft Corporation, Copyright (c) .NET Foundation, Copyright (c) 2012-2014 Mehdi Khalili, Copyright (c) 2013 Scott Kirkland, Copyright (c) 2013-2014 Omar Khudeira (http://omar.io), Copyright (c) Microsoft</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Microsoft.CodeAnalysis.Metrics-3.3.4-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>Microsoft.NET.Sdk.Functions</name>
<version>4.6.0</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>(c) Microsoft Corporation, Copyright 2008 - 2018 Jb Evain, Copyright James Newton-King 2008, Copyright James Newton-King 2008 Json.NET</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Microsoft.NET.Sdk.Functions-4.6.0-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>Common.RestClient</name>
<version>1.0.16</version>
<purl>pkg:nuget/[email protected]</purl>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Common.RestClient-1.0.16-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>System.Configuration.ConfigurationManager</name>
<version>8.0.0</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>(c) 1997-2005 Sean Eron Anderson, (c) Microsoft Corporation, Copyright (c) .NET Foundation, Copyright (c) .NET Foundation and Contributors, Copyright (c) .NET Foundation Contributors, Copyright (c) 1980, 1986, 1993 The Regents of the University of California, Copyright (c) 1989 by Hewlett-Packard Company, Palo Alto, Ca. & Digital Equipment Corporation, Maynard, Mass, Copyright (c) 1990- 1993, 1996 Open Software Foundation, Inc., Copyright (c) 1991-2022 Unicode, Inc., Copyright (c) 1995-2022 Jean-loup Gailly and Mark Adler, Copyright (c) 1998 Microsoft. To, Copyright (c) 1999 Lucent Technologies, Copyright (c) 2004-2006 Intel Corporation, Copyright (c) 2005-2007, Nick Galbreath, Copyright (c) 2005-2020 Rich Felker, Copyright (c) 2006 Jb Evain ([email protected]), Copyright (c) 2007 James Newton-King, Copyright (c) 2008-2016, Wojciech Mula, Copyright (c) 2008-2020 Advanced Micro Devices, Inc., Copyright (c) 2009, 2010, 2013-2016 by the Brotli Authors, Copyright (c) 2011 Novell, Inc (http://www.novell.com), Copyright (c) 2011-2015 Intel Corporation, Copyright (c) 2011-2020 Microsoft Corp, Copyright (c) 2011, Google Inc., Copyright (c) 2012 - present, Victor Zverovich, Copyright (c) 2012-2021 Yann Collet, Copyright (c) 2013-2017, Alfred Klomp, Copyright (c) 2013-2017, Milosz Krajewski, Copyright (c) 2014 Ryan Juckett http://www.ryanjuckett.com, Copyright (c) 2015 The Chromium Authors, Copyright (c) 2015 THL A29 Limited, a Tencent company, and Milo Yip, Copyright (c) 2015 Xamarin, Inc (http://www.xamarin.com), Copyright (c) 2015-2017, Wojciech Mula, Copyright (c) 2016-2017, Matthieu Darbois, Copyright (c) 2017 Yoshifumi Kawai, Copyright (c) 2018 Alexander Chermyanin, Copyright (c) 2019 Microsoft Corporation, Daan Leijen, Copyright (c) 2020 Dan Shechter, Copyright (c) 2020 Mara Bos <[email protected]>, Copyright (c) 2021 csFastFloat authors, Copyright (c) 2022, Geoff Langdale, Copyright (c) 2022, Wojciech Mula, Copyright (c) Andrew Arnott, Copyright (c) Microsoft Corporation, Copyright (c) Six Labors, Copyright (c) The Internet Society (2003), Copyright (c) The Internet Society 1997, Copyright (c) YEAR W3C(r) (MIT, ERCIM, Keio, Beihang). Disclaimers, Copyright 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018 The Regents of the University of California, Copyright 2012 the V8 project authors, Copyright 2018 Daniel Lemire, Copyright 2019 LLVM Project, Portions (c) International Organization</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-System.Configuration.ConfigurationManager-8.0.0-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>Microsoft.Extensions.Hosting</name>
<version>8.0.1</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>(c) 1997-2005 Sean Eron Anderson, (c) Microsoft Corporation, Copyright (c) .NET Foundation, Copyright (c) .NET Foundation and Contributors, Copyright (c) .NET Foundation Contributors, Copyright (c) 1980, 1986, 1993 The Regents of the University of California, Copyright (c) 1989 by Hewlett-Packard Company, Palo Alto, Ca. & Digital Equipment Corporation, Maynard, Mass, Copyright (c) 1990- 1993, 1996 Open Software Foundation, Inc., Copyright (c) 1991-2022 Unicode, Inc., Copyright (c) 1995-2022 Jean-loup Gailly and Mark Adler, Copyright (c) 1998 Microsoft, Copyright (c) 1998 Microsoft. To, Copyright (c) 1999 Lucent Technologies, Copyright (c) 2004-2006 Intel Corporation, Copyright (c) 2005-2007, Nick Galbreath, Copyright (c) 2005-2020 Rich Felker, Copyright (c) 2006 Jb Evain ([email protected]), Copyright (c) 2007 James Newton-King, Copyright (c) 2008-2016, Wojciech Mula, Copyright (c) 2008-2020 Advanced Micro Devices, Inc., Copyright (c) 2009, 2010, 2013-2016 by the Brotli Authors, Copyright (c) 2011 Novell, Inc (http://www.novell.com), Copyright (c) 2011-2015 Intel Corporation, Copyright (c) 2011-2020 Microsoft Corp, Copyright (c) 2011, Google Inc., Copyright (c) 2012 - present, Victor Zverovich, Copyright (c) 2012-2021 Yann Collet, Copyright (c) 2013-2017, Alfred Klomp, Copyright (c) 2013-2017, Milosz Krajewski, Copyright (c) 2014 Ryan Juckett http://www.ryanjuckett.com, Copyright (c) 2015 The Chromium Authors, Copyright (c) 2015 THL A29 Limited, a Tencent company, and Milo Yip, Copyright (c) 2015 Xamarin, Inc (http://www.xamarin.com), Copyright (c) 2015-2017, Wojciech Mula, Copyright (c) 2016-2017, Matthieu Darbois, Copyright (c) 2017 Yoshifumi Kawai, Copyright (c) 2018 Alexander Chermyanin, Copyright (c) 2019 Microsoft Corporation, Daan Leijen, Copyright (c) 2020 Dan Shechter, Copyright (c) 2020 Mara Bos <[email protected]>, Copyright (c) 2021, Copyright (c) 2021 csFastFloat authors, Copyright (c) 2022, Geoff Langdale, Copyright (c) 2022, Wojciech Mula, Copyright (c) Andrew Arnott, Copyright (c) Microsoft Corporation, Copyright (c) Six Labors, Copyright (c) The Internet Society (2003), Copyright (c) The Internet Society 1997, Copyright (c) YEAR W3C(r) (MIT, ERCIM, Keio, Beihang) Disclaimers, Copyright (c) YEAR W3C(r) (MIT, ERCIM, Keio, Beihang). Disclaimers, Copyright 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018 The Regents of the University of California, Copyright 2012 the V8 project authors, Copyright 2018 Daniel Lemire, Copyright 2019 LLVM Project, Portions (c) International Organization, Portions (c) International Organization for Standardization 1986</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Microsoft.Extensions.Hosting-8.0.1-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>RedLock.net</name>
<version>2.3.2</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-RedLock.net-2.3.2-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>EasyCaching.Core</name>
<version>1.7.0</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>(c) Microsoft 2022, Copyright (c) .NET Core Community and Contributors</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-EasyCaching.Core-1.7.0-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>Microsoft.Azure.Functions.Worker.Extensions.Timer</name>
<version>4.3.1</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>(c) Microsoft Corporation</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Microsoft.Azure.Functions.Worker.Extensions.Timer-4.3.1-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>Microsoft.Azure.Functions.Worker</name>
<version>2.0.0</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Microsoft.Azure.Functions.Worker-2.0.0-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>Microsoft.Azure.Functions.Worker.Sdk</name>
<version>2.0.2</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>(c) Microsoft Corporation, Copyright 2000-2022 SharpZipLib Contributors, Copyright 2008 - 2018 Jb Evain, Copyright 2012-2017 Mehdi Khalili</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Microsoft.Azure.Functions.Worker.Sdk-2.0.2-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>Microsoft.Azure.Functions.Worker.Extensions.Storage.Queues</name>
<version>5.5.2</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>(c) Microsoft Corporation</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Microsoft.Azure.Functions.Worker.Extensions.Storage.Queues-5.5.2-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>Microsoft.Azure.Functions.Worker.Extensions.Storage</name>
<version>6.7.0</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>(c) Microsoft Corporation</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Microsoft.Azure.Functions.Worker.Extensions.Storage-6.7.0-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>Microsoft.CodeAnalysis.Metrics</name>
<version>4.14.0</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>(c) Microsoft Corporation, Copyright (c) .NET Foundation, Copyright (c) 2012-2014 Mehdi Khalili, Copyright (c) 2013 Scott Kirkland, Copyright (c) 2013-2014 Omar Khudeira (http://omar.io), Copyright (c) Microsoft</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Microsoft.CodeAnalysis.Metrics-4.14.0-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>Common.RestClient</name>
<version>2.0.26</version>
<purl>pkg:nuget/[email protected]</purl>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Common.RestClient-2.0.26-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>Microsoft.Azure.Functions.Worker.ApplicationInsights</name>
<version>2.0.0</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Microsoft.Azure.Functions.Worker.ApplicationInsights-2.0.0-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>Microsoft.ApplicationInsights.WorkerService</name>
<version>2.23.0</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>(c) Microsoft Corporation</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Microsoft.ApplicationInsights.WorkerService-2.23.0-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>MSTest.TestAdapter</name>
<version>3.6.2</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>(c) Microsoft Corporation</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-MSTest.TestAdapter-3.6.2-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>Moq</name>
<version>4.18.4</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>BSD-3-Clause</id>
</license>
</licenses>
<copyright>Copyright (c) 2007, Clarius Consulting, Manas Technology Solutions, InSTEDD, and Contributors</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Moq-4.18.4-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">BSD-3-Clause</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>Shouldly</name>
<version>4.2.1</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>BSD-2-Clause</id>
</license>
</licenses>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Shouldly-4.2.1-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">BSD-2-Clause</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>coverlet.collector</name>
<version>6.0.2</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>Copyright 2008 - 2018 Jb Evain, Copyright James Newton-King 2008, Copyright James Newton-King 2008 Json.NET</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-coverlet.collector-6.0.2-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>Microsoft.NET.Test.Sdk</name>
<version>17.11.1</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>(c) Microsoft Corporation, Copyright (c) .NET Foundation</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Microsoft.NET.Test.Sdk-17.11.1-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>MSTest.TestFramework</name>
<version>3.6.2</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>(c) Microsoft Corporation</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-MSTest.TestFramework-3.6.2-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>github/codeql-action/autobuild</name>
<version>3.*.*</version>
<purl>pkg:githubactions/github/codeql-action/autobuild@3.%2A.%2A</purl>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-githubactions-githubcodeql-action-autobuild-3..-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>github/codeql-action/init</name>
<version>3.*.*</version>
<purl>pkg:githubactions/github/codeql-action/init@3.%2A.%2A</purl>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-githubactions-githubcodeql-action-init-3..-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>NSubstitute</name>
<version>5.3.0</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>BSD-3-Clause</id>
</license>
</licenses>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-NSubstitute-5.3.0-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">BSD-3-Clause</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>coverlet.collector</name>
<version>6.0.4</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>Copyright 2008 - 2018 Jb Evain, Copyright James Newton-King 2008, Copyright James Newton-King 2008 Json.NET</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-coverlet.collector-6.0.4-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>Shouldly</name>
<version>4.3.0</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>BSD-3-Clause</id>
</license>
</licenses>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Shouldly-4.3.0-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">BSD-3-Clause</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>Microsoft.NET.Test.Sdk</name>
<version>17.14.1</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>(c) Microsoft Corporation, Copyright (c) .NET Foundation</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Microsoft.NET.Test.Sdk-17.14.1-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>MSTest.TestAdapter</name>
<version>3.9.3</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>(c) Microsoft Corporation</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-MSTest.TestAdapter-3.9.3-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>MSTest.TestFramework</name>
<version>3.9.3</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>(c) Microsoft Corporation</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-MSTest.TestFramework-3.9.3-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>Microsoft.Azure.Functions.Worker.Extensions.Http</name>
<version>3.1.0</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>(c) Microsoft Corporation</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Microsoft.Azure.Functions.Worker.Extensions.Http-3.1.0-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>Microsoft.Azure.Functions.Worker.Extensions.DurableTask</name>
<version>1.3.0</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>(c) Microsoft Corporation</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Microsoft.Azure.Functions.Worker.Extensions.DurableTask-1.3.0-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>Common.AzStorage</name>
<version>1.2.16</version>
<purl>pkg:nuget/[email protected]</purl>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Common.AzStorage-1.2.16-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>AspNetCore.HealthChecks.Network</name>
<version>7.0.0</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>Apache-2.0</id>
</license>
</licenses>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-AspNetCore.HealthChecks.Network-7.0.0-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">Apache-2.0</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>Microsoft.ApplicationInsights.AspNetCore</name>
<version>2.23.0</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>(c) Microsoft Corporation</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Microsoft.ApplicationInsights.AspNetCore-2.23.0-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>Microsoft.Extensions.Logging.ApplicationInsights</name>
<version>2.23.0</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>(c) Microsoft Corporation</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Microsoft.Extensions.Logging.ApplicationInsights-2.23.0-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>SSH.NET</name>
<version>2023.0.0</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>Copyright (c) 2006 James Kolpack, Copyright Renci 2010-2023</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-SSH.NET-2023.0.0-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>AspNetCore.HealthChecks.Publisher.ApplicationInsights</name>
<version>7.0.0</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>Apache-2.0</id>
</license>
</licenses>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-AspNetCore.HealthChecks.Publisher.ApplicationInsights-7.0.0-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">Apache-2.0</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>AspNetCore.HealthChecks.System</name>
<version>7.0.0</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>Apache-2.0</id>
</license>
</licenses>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-AspNetCore.HealthChecks.System-7.0.0-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">Apache-2.0</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>AspNetCore.HealthChecks.AzureStorage</name>
<version>7.0.0</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>Apache-2.0</id>
</license>
</licenses>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-AspNetCore.HealthChecks.AzureStorage-7.0.0-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">Apache-2.0</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>Azure.Storage.Queues</name>
<version>12.22.0</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>(c) Microsoft Corporation</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-Azure.Storage.Queues-12.22.0-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>MSTest</name>
<version>3.9.3</version>
<purl>pkg:nuget/[email protected]</purl>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
<copyright>(c) Microsoft Corporation</copyright>
<externalReferences>
<reference type="distribution">
<url>NOASSERTION</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-nuget-MSTest-3.9.3-75c946</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:license-concluded">MIT</property>
<property name="spdx:download-location">NOASSERTION</property>
</properties>
</component>
<component type="library">
<name>com.github.internal/Apps</name>
<version>develop</version>
<purl>pkg:github/internal/Apps@develop</purl>
<externalReferences>
<reference type="distribution">
<url>git+https://github.com/internal/Apps</url>
</reference>
</externalReferences>
<properties>
<property name="spdx:spdxid">SPDXRef-github-internal-Apps-develop-db1e7c</property>
<property name="spdx:files-analyzed">false</property>
<property name="spdx:download-location">git+https://github.com/internal/Apps</property>
</properties>
</component>
</components>
</bom> |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello Everyone,
I am new to OWASP Slack Community.
In our organization, we have configured Dependency Track. We are facing issue that Dependency Track is facing difficulty in identifying the vulnerabilities in the project.
Background:
We are fetching SPDX SBOM from the GitHub and converting into Cyclone DX SBOM(XML format) using Cyclonedx CLI. We converted and pushed the SBOM's in to Dependency track.
Issue:
Identified that the XML format which we fed into Dependency track is not compatible/Readable for the property "purl" which is the package URL for that component.
Example:
We are feeding one of component in below format.
Tried to push the component block which
<purl>....</purl>blockConverted SBOM:
As per XML schema structure version: 1.6 "http://cyclonedx.org/schema/bom/1.6"
I could see the XML tag
<purl>......</purl>is allowed. Please find the attached snapshot below.even though, we are passing the valid structure, During the cyclone DX validation, it is getting failed.
What is Expected:
Need your help to fix the issue by any other means. I have trying to convert the SPDX SBOM to CycloneDX Json format, which is not giving any component details.
Only the skeleton is getting created.
{ "bomFormat": "CycloneDX", "specVersion": "1.6" }Beta Was this translation helpful? Give feedback.
All reactions