[SPDX][JSON] SBOM required field 'checksum' is missing/incorrect

[surendrapathak]

Summary

SPDX value format is missing or incorrect for checksum under files

Background

1. Download trivy version 0.36.1
2. Generate sbom with trivy image --list-all-pkgs --format {trivy_format} --output {out_file} {image}:{version} for ruby tag 3.13-alpine3.17
3. Observe the following error:

SPDX value format is missing or incorrect for checksum

		{
			"SPDXID": "SPDXRef-File-13c84467a7e68326",
			"fileName": "usr/local/lib/ruby/gems/3.1.0/specifications/default/mutex_m-0.1.1.gemspec"
		},

Expected behavior

checksum should be valid SPDX value under files

Screenshots

If applicable, add screenshots to help explain the problem.

Repository

Which repository causes this error?

• ruby:3.1.3-alpine3.17

Additional Context

Optional - add any other context about the problem here.

Acceptance Criteria

The "done" criteria when this feature or problem is resolved. Such as:

1. Unit Tests added and running in CI
2. Functional Tests updated to cover feature, if applicable
3. Demonstrate the set of capabilities to the product team

References

Limited to SPDX.
Finder: sbomqs
SBOM: sbomlc-ruby-alpine

[knqyf263]

It is an optional field. I don't think it is a bug.
https://spdx.github.io/spdx-spec/v2.3/package-information/#710-package-checksum-field

[surendrapathak]

Thanks for checking it out @knqyf263 . The checksum is optional in the context of packages, as you mentioned. However, the attached SBOM is using them within the files context starting at Line 15. checksum for files is a required field: https://spdx.github.io/spdx-spec/v2.3/file-information/#84-file-checksum-field

(The filing tool had NULL for the file, attaching actual file)
trivy-0.36.1_ruby-3.1.3-alpine3.17.spdx.json.txt

[knqyf263]

Not sure why files are filled. We'll remove it then.