You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I was hoping to use this script to merge them. Sadly, it does not work.
Reproduction:
Build a vcpkg (manifest mode) project
Copy all sboms to a folder
#!/bin/bash
# Define the source and target directories
source_dir="..../vcpkg_installed/x64-linux-gcc/share"
target_dir="./inputs"
# Create the target directory if it doesn't exist
mkdir -p "$target_dir"
# Find and copy files
find "$source_dir" -name "*.spdx.json" | while read file; do
# Extract the folder name
folder_name=$(basename $(dirname "$file"))
# Construct the new file name
new_file_name="${folder_name}_vcpkg.spdx.json"
# Copy and rename the file
cp "$file" "$target_dir/$new_file_name"
done
Run spdxme gives tons of errors and empt result files.
SPDXMerge (main?) $ python spdxmerge/SPDXMerge.py --docpath inputs --outpath outputs --name test_merge --mergetype 0 --author kuga --email [email protected] --filetype J --docnamespace https://spdx.kuga.test_merge
Invalid DocumentNamespace value https://spdx.org/spdxdocs/vcpkg-cmake-config-x64-linux-gcc-2022-02-06#1-7498f07b-2af3-44f7-a429-ebf15a7ad5f3, must contain a scheme (e.g. "https:") and should not contain the "#" delimiter.
re2:x64-linux-gcc@2023-02-01 e4bfe9e2439103bfd7e75c27f697958af86aac0d6388695f18f4a1f7c121a8ae: ./portfile.cmake: At least one file checksum algorithm must be SHA1
re2:x64-linux-gcc@2023-02-01 e4bfe9e2439103bfd7e75c27f697958af86aac0d6388695f18f4a1f7c121a8ae: ./vcpkg.json: At least one file checksum algorithm must be SHA1
Invalid DocumentNamespace value https://spdx.org/spdxdocs/argagg-x64-linux-gcc-0.4.6#2-13663110-be86-4016-8245-b057bc25d2e6, must contain a scheme (e.g. "https:") and should not contain the "#" delimiter.
Invalid DocumentNamespace value https://spdx.org/spdxdocs/liblzma-x64-linux-gcc-5.4.1#1-803ec2a4-b1b4-4460-8675-a8f272b6ff63, must contain a scheme (e.g. "https:") and should not contain the "#" delimiter.
protobuf:[email protected] 9e4c9425913fc7730a69cb8cbbf4c3146a616f72ec3fc21a98000e0cc08fa32a: ./protobuf-targets-vcpkg-protoc.cmake: At least one file checksum algorithm must be SHA1
protobuf:[email protected] 9e4c9425913fc7730a69cb8cbbf4c3146a616f72ec3fc21a98000e0cc08fa32a: ./fix-static-build.patch: At least one file checksum algorithm must be SHA1
protobuf:[email protected] 9e4c9425913fc7730a69cb8cbbf4c3146a616f72ec3fc21a98000e0cc08fa32a: ./portfile.cmake: At least one file checksum algorithm must be SHA1
protobuf:[email protected] 9e4c9425913fc7730a69cb8cbbf4c3146a616f72ec3fc21a98000e0cc08fa32a: ./vcpkg-cmake-wrapper.cmake: At least one file checksum algorithm must be SHA1
protobuf:[email protected] 9e4c9425913fc7730a69cb8cbbf4c3146a616f72ec3fc21a98000e0cc08fa32a: ./fix-default-proto-file-path.patch: At least one file checksum algorithm must be SHA1
protobuf:[email protected] 9e4c9425913fc7730a69cb8cbbf4c3146a616f72ec3fc21a98000e0cc08fa32a: ./compile_options.patch: At least one file checksum algorithm must be SHA1
protobuf:[email protected] 9e4c9425913fc7730a69cb8cbbf4c3146a616f72ec3fc21a98000e0cc08fa32a: ./vcpkg.json: At least one file checksum algorithm must be SHA1
vcpkg-cmake:x64-linux-gcc@2022-12-22 bef7b61e3c8bb9414a12a4e2b77d4f813bd9b2d26a353c1566e9663e8243dae4: ./vcpkg_cmake_install.cmake: At least one file checksum algorithm must be SHA1
vcpkg-cmake:x64-linux-gcc@2022-12-22 bef7b61e3c8bb9414a12a4e2b77d4f813bd9b2d26a353c1566e9663e8243dae4: ./vcpkg_cmake_build.cmake: At least one file checksum algorithm must be SHA1
vcpkg-cmake:x64-linux-gcc@2022-12-22 bef7b61e3c8bb9414a12a4e2b77d4f813bd9b2d26a353c1566e9663e8243dae4: ./portfile.cmake: At least one file checksum algorithm must be SHA1
vcpkg-cmake:x64-linux-gcc@2022-12-22 bef7b61e3c8bb9414a12a4e2b77d4f813bd9b2d26a353c1566e9663e8243dae4: ./vcpkg_cmake_configure.cmake: At least one file checksum algorithm must be SHA1
vcpkg-cmake:x64-linux-gcc@2022-12-22 bef7b61e3c8bb9414a12a4e2b77d4f813bd9b2d26a353c1566e9663e8243dae4: ./vcpkg.json: At least one file checksum algorithm must be SHA1
vcpkg-cmake:x64-linux-gcc@2022-12-22 bef7b61e3c8bb9414a12a4e2b77d4f813bd9b2d26a353c1566e9663e8243dae4: ./vcpkg-port-config.cmake: At least one file checksum algorithm must be SHA1
zeromq:x64-linux-gcc@2023-01-31 1c7aaa47ccd0bf598d0ce2e41a1f58123add5ecea3d6e98366279a14d689adf2: ./fix-arm.patch: At least one file checksum algorithm must be SHA1
zeromq:x64-linux-gcc@2023-01-31 1c7aaa47ccd0bf598d0ce2e41a1f58123add5ecea3d6e98366279a14d689adf2: ./portfile.cmake: At least one file checksum algorithm must be SHA1
zeromq:x64-linux-gcc@2023-01-31 1c7aaa47ccd0bf598d0ce2e41a1f58123add5ecea3d6e98366279a14d689adf2: ./vcpkg-cmake-wrapper.cmake: At least one file checksum algorithm must be SHA1
zeromq:x64-linux-gcc@2023-01-31 1c7aaa47ccd0bf598d0ce2e41a1f58123add5ecea3d6e98366279a14d689adf2: ./vcpkg.json: At least one file checksum algorithm must be SHA1
upb:x64-linux-gcc@2022-06-21 1c05127454ec8e0063bab375d78331d62dde7080334fcc1fd5e1af6964a37dea: ./upb-config-vcpkg-tools.cmake: At least one file checksum algorithm must be SHA1
upb:x64-linux-gcc@2022-06-21 1c05127454ec8e0063bab375d78331d62dde7080334fcc1fd5e1af6964a37dea: ./0001-make-cmakelists-py.patch: At least one file checksum algorithm must be SHA1
upb:x64-linux-gcc@2022-06-21 1c05127454ec8e0063bab375d78331d62dde7080334fcc1fd5e1af6964a37dea: ./portfile.cmake: At least one file checksum algorithm must be SHA1
upb:x64-linux-gcc@2022-06-21 1c05127454ec8e0063bab375d78331d62dde7080334fcc1fd5e1af6964a37dea: ./0002-fix-uwp.patch: At least one file checksum algorithm must be SHA1
upb:x64-linux-gcc@2022-06-21 1c05127454ec8e0063bab375d78331d62dde7080334fcc1fd5e1af6964a37dea: ./vcpkg.json: At least one file checksum algorithm must be SHA1
grpc:[email protected] 2310c0152de5a5e16ba0279a01d1f5ce4e0dda2a29f50c67ad0048942e90e872: ./00014-pkgconfig-upbdefs.patch: At least one file checksum algorithm must be SHA1
grpc:[email protected] 2310c0152de5a5e16ba0279a01d1f5ce4e0dda2a29f50c67ad0048942e90e872: ./snprintf.patch: At least one file checksum algorithm must be SHA1
grpc:[email protected] 2310c0152de5a5e16ba0279a01d1f5ce4e0dda2a29f50c67ad0048942e90e872: ./00002-static-linking-in-linux.patch: At least one file checksum algorithm must be SHA1
grpc:[email protected] 2310c0152de5a5e16ba0279a01d1f5ce4e0dda2a29f50c67ad0048942e90e872: ./00005-fix-uwp-error.patch: At least one file checksum algorithm must be SHA1
grpc:[email protected] 2310c0152de5a5e16ba0279a01d1f5ce4e0dda2a29f50c67ad0048942e90e872: ./00004-link-gdi32-on-windows.patch: At least one file checksum algorithm must be SHA1
grpc:[email protected] 2310c0152de5a5e16ba0279a01d1f5ce4e0dda2a29f50c67ad0048942e90e872: ./00009-use-system-upb.patch: At least one file checksum algorithm must be SHA1
grpc:[email protected] 2310c0152de5a5e16ba0279a01d1f5ce4e0dda2a29f50c67ad0048942e90e872: ./portfile.cmake: At least one file checksum algorithm must be SHA1
grpc:[email protected] 2310c0152de5a5e16ba0279a01d1f5ce4e0dda2a29f50c67ad0048942e90e872: ./00012-fix-use-cxx17.patch: At least one file checksum algorithm must be SHA1
grpc:[email protected] 2310c0152de5a5e16ba0279a01d1f5ce4e0dda2a29f50c67ad0048942e90e872: ./00015-disable-download-archive.patch: At least one file checksum algorithm must be SHA1
grpc:[email protected] 2310c0152de5a5e16ba0279a01d1f5ce4e0dda2a29f50c67ad0048942e90e872: ./00001-fix-uwp.patch: At least one file checksum algorithm must be SHA1
grpc:[email protected] 2310c0152de5a5e16ba0279a01d1f5ce4e0dda2a29f50c67ad0048942e90e872: ./vcpkg-cmake-wrapper.cmake: At least one file checksum algorithm must be SHA1
grpc:[email protected] 2310c0152de5a5e16ba0279a01d1f5ce4e0dda2a29f50c67ad0048942e90e872: ./gRPCTargets-vcpkg-tools.cmake: At least one file checksum algorithm must be SHA1
grpc:[email protected] 2310c0152de5a5e16ba0279a01d1f5ce4e0dda2a29f50c67ad0048942e90e872: ./vcpkg.json: At least one file checksum algorithm must be SHA1
grpc:[email protected] 2310c0152de5a5e16ba0279a01d1f5ce4e0dda2a29f50c67ad0048942e90e872: ./00003-undef-base64-macro.patch: At least one file checksum algorithm must be SHA1
docopt:x64-linux-gcc@2022-03-15 f07c7573b312c3ebb7b80bc59528745a648526bf91077bba02e335a88872ba2b: ./vcpkg.json: At least one file checksum algorithm must be SHA1
docopt:x64-linux-gcc@2022-03-15 f07c7573b312c3ebb7b80bc59528745a648526bf91077bba02e335a88872ba2b: ./portfile.cmake: At least one file checksum algorithm must be SHA1
nanopb:[email protected] feef9837eb008c8d7c307bb5d26f9dfabb0c42b6a4c34919c8f10bead0bf8c7a: ./vcpkg.json: At least one file checksum algorithm must be SHA1
nanopb:[email protected] feef9837eb008c8d7c307bb5d26f9dfabb0c42b6a4c34919c8f10bead0bf8c7a: ./portfile.cmake: At least one file checksum algorithm must be SHA1
nanopb:[email protected] feef9837eb008c8d7c307bb5d26f9dfabb0c42b6a4c34919c8f10bead0bf8c7a: ./fix-cmakelist-and-pb-header.patch: At least one file checksum algorithm must be SHA1
Invalid DocumentNamespace value https://spdx.org/spdxdocs/czmq-x64-linux-gcc-4.2.1#1-48ece821-221b-44b9-9aad-1c924972e832, must contain a scheme (e.g. "https:") and should not contain the "#" delimiter.
gtest:[email protected] 38aa7c789ac97561673c9232387870a1345fc840468d42f66c6dc725513bdaed: ./usage: At least one file checksum algorithm must be SHA1
gtest:[email protected] 38aa7c789ac97561673c9232387870a1345fc840468d42f66c6dc725513bdaed: ./fix-main-lib-path.patch: At least one file checksum algorithm must be SHA1
gtest:[email protected] 38aa7c789ac97561673c9232387870a1345fc840468d42f66c6dc725513bdaed: ./portfile.cmake: At least one file checksum algorithm must be SHA1
gtest:[email protected] 38aa7c789ac97561673c9232387870a1345fc840468d42f66c6dc725513bdaed: ./vcpkg.json: At least one file checksum algorithm must be SHA1
gtest:[email protected] 38aa7c789ac97561673c9232387870a1345fc840468d42f66c6dc725513bdaed: ./clang-tidy-no-lint.patch: At least one file checksum algorithm must be SHA1
gtest:[email protected] 38aa7c789ac97561673c9232387870a1345fc840468d42f66c6dc725513bdaed: ./001-fix-UWP-death-test.patch: At least one file checksum algorithm must be SHA1
Invalid DocumentNamespace value https://spdx.org/spdxdocs/openssl-x64-linux-gcc-3.0.8#2-2d149306-45e5-47ce-9f82-252aa1487599, must contain a scheme (e.g. "https:") and should not contain the "#" delimiter.
c-ares:[email protected] 9e77b1514feadac931dacca0c8a5ec86c383dd7675f5811ff1472143e4b8d1ef: ./avoid-docs.patch: At least one file checksum algorithm must be SHA1
c-ares:[email protected] 9e77b1514feadac931dacca0c8a5ec86c383dd7675f5811ff1472143e4b8d1ef: ./usage: At least one file checksum algorithm must be SHA1
c-ares:[email protected] 9e77b1514feadac931dacca0c8a5ec86c383dd7675f5811ff1472143e4b8d1ef: ./portfile.cmake: At least one file checksum algorithm must be SHA1
c-ares:[email protected] 9e77b1514feadac931dacca0c8a5ec86c383dd7675f5811ff1472143e4b8d1ef: ./fix-uwp.patch: At least one file checksum algorithm must be SHA1
c-ares:[email protected] 9e77b1514feadac931dacca0c8a5ec86c383dd7675f5811ff1472143e4b8d1ef: ./vcpkg.json: At least one file checksum algorithm must be SHA1
vcpkg-cmake-get-vars:x64-linux-gcc@2023-03-02 2a5e8eecac7456c705c98f2ca457a8ecf9fe5aabc81dd7a3fd1920bb5f59bbf4: ./cmake_get_vars/CMakeLists.txt: At least one file checksum algorithm must be SHA1
vcpkg-cmake-get-vars:x64-linux-gcc@2023-03-02 2a5e8eecac7456c705c98f2ca457a8ecf9fe5aabc81dd7a3fd1920bb5f59bbf4: ./vcpkg_cmake_get_vars.cmake: At least one file checksum algorithm must be SHA1
vcpkg-cmake-get-vars:x64-linux-gcc@2023-03-02 2a5e8eecac7456c705c98f2ca457a8ecf9fe5aabc81dd7a3fd1920bb5f59bbf4: ./portfile.cmake: At least one file checksum algorithm must be SHA1
vcpkg-cmake-get-vars:x64-linux-gcc@2023-03-02 2a5e8eecac7456c705c98f2ca457a8ecf9fe5aabc81dd7a3fd1920bb5f59bbf4: ./vcpkg.json: At least one file checksum algorithm must be SHA1
vcpkg-cmake-get-vars:x64-linux-gcc@2023-03-02 2a5e8eecac7456c705c98f2ca457a8ecf9fe5aabc81dd7a3fd1920bb5f59bbf4: ./vcpkg-port-config.cmake: At least one file checksum algorithm must be SHA1
libxml2:[email protected] 5f19d8eb3f71b6cab356ab6491f12c5cbecdaaee5abf4f7b82967739d2a1c755: ./disable-docs.patch: At least one file checksum algorithm must be SHA1
libxml2:[email protected] 5f19d8eb3f71b6cab356ab6491f12c5cbecdaaee5abf4f7b82967739d2a1c755: ./usage: At least one file checksum algorithm must be SHA1
libxml2:[email protected] 5f19d8eb3f71b6cab356ab6491f12c5cbecdaaee5abf4f7b82967739d2a1c755: ./portfile.cmake: At least one file checksum algorithm must be SHA1
libxml2:[email protected] 5f19d8eb3f71b6cab356ab6491f12c5cbecdaaee5abf4f7b82967739d2a1c755: ./fix_cmakelist.patch: At least one file checksum algorithm must be SHA1
libxml2:[email protected] 5f19d8eb3f71b6cab356ab6491f12c5cbecdaaee5abf4f7b82967739d2a1c755: ./vcpkg-cmake-wrapper.cmake: At least one file checksum algorithm must be SHA1
libxml2:[email protected] 5f19d8eb3f71b6cab356ab6491f12c5cbecdaaee5abf4f7b82967739d2a1c755: ./vcpkg.json: At least one file checksum algorithm must be SHA1
Invalid DocumentNamespace value https://spdx.org/spdxdocs/abseil-x64-linux-gcc-20230125.0#1-423928bb-d7c9-47a3-8b07-c16465204d99, must contain a scheme (e.g. "https:") and should not contain the "#" delimiter.
Invalid DocumentNamespace value https://spdx.org/spdxdocs/cppunit-x64-linux-gcc-1.15.1#3-ed300dfd-7805-4569-b406-cd2ffae89c43, must contain a scheme (e.g. "https:") and should not contain the "#" delimiter.
zlib:[email protected] 57bd5c331cf6ffc18721d5875ad308139716ee37098addc66dbeeb8368cd74f1: ./0003-build-static-or-shared-not-both.patch: At least one file checksum algorithm must be SHA1
zlib:[email protected] 57bd5c331cf6ffc18721d5875ad308139716ee37098addc66dbeeb8368cd74f1: ./0001-Prevent-invalid-inclusions-when-HAVE_-is-set-to-0.patch: At least one file checksum algorithm must be SHA1
zlib:[email protected] 57bd5c331cf6ffc18721d5875ad308139716ee37098addc66dbeeb8368cd74f1: ./usage: At least one file checksum algorithm must be SHA1
zlib:[email protected] 57bd5c331cf6ffc18721d5875ad308139716ee37098addc66dbeeb8368cd74f1: ./portfile.cmake: At least one file checksum algorithm must be SHA1
zlib:[email protected] 57bd5c331cf6ffc18721d5875ad308139716ee37098addc66dbeeb8368cd74f1: ./0002-skip-building-examples.patch: At least one file checksum algorithm must be SHA1
zlib:[email protected] 57bd5c331cf6ffc18721d5875ad308139716ee37098addc66dbeeb8368cd74f1: ./0004-android-and-mingw-fixes.patch: At least one file checksum algorithm must be SHA1
zlib:[email protected] 57bd5c331cf6ffc18721d5875ad308139716ee37098addc66dbeeb8368cd74f1: ./vcpkg-cmake-wrapper.cmake: At least one file checksum algorithm must be SHA1
zlib:[email protected] 57bd5c331cf6ffc18721d5875ad308139716ee37098addc66dbeeb8368cd74f1: ./vcpkg.json: At least one file checksum algorithm must be SHA1
Invalid DocumentNamespace value https://spdx.org/spdxdocs/libiconv-x64-linux-gcc-1.17#1-f68fd2bd-3b9d-4b9f-9b21-290cf213d59a, must contain a scheme (e.g. "https:") and should not contain the "#" delimiter.
Document is Invalid:
test_merge: ExternalDocumentRef has no SPDX Document URI.
test_merge: ExternalDocumentRef has no SPDX Document URI.
test_merge: ExternalDocumentRef has no SPDX Document URI.
test_merge: ExternalDocumentRef has no SPDX Document URI.
test_merge: ExternalDocumentRef has no SPDX Document URI.
test_merge: ExternalDocumentRef has no SPDX Document URI.
test_merge: ExternalDocumentRef has no SPDX Document URI.
test_merge: ExternalDocumentRef has no SPDX Document URI.
test_merge: ExternalDocumentRef has no SPDX Document URI.
test_merge: ExternalDocumentRef has no SPDX Document URI.
test_merge: ExternalDocumentRef has no SPDX Document URI.
test_merge: ExternalDocumentRef has no SPDX Document URI.
test_merge: ExternalDocumentRef has no SPDX Document URI.
test_merge: ExternalDocumentRef has no SPDX Document URI.
test_merge: ExternalDocumentRef has no SPDX Document URI.
test_merge: ExternalDocumentRef has no SPDX Document URI.
File outputs/merged-SBoM-shallow.json is generated
The text was updated successfully, but these errors were encountered:
KUGA2
changed the title
Merging vcpkg creates sboms
Merging vcpkg created sboms
Jun 27, 2024
Has anyone tried this?
vcpkg generates a SPDX file containing the SBOM information for each package that is installed. The files are located in <installed_dir>//share//vcpkg.spdx.json.
https://learn.microsoft.com/en-us/vcpkg/reference/software-bill-of-materials
I was hoping to use this script to merge them. Sadly, it does not work.
Reproduction:
(Folder uploaded for reproduction
inputs.zip )
The text was updated successfully, but these errors were encountered: