'component' metadata claims Airflow is an npm
or application
#44178
Labels
area:core
kind:bug
This is a clearly a bug
needs-triage
label for new issues that we didn't triage yet
Apache Airflow version
2.10.3
If "Other Airflow 2 version" selected, which one?
No response
What happened?
Looking at Airflow SBOMs such as
apache-airflow-sbom-2.10.3-python3.12.json
andapache-airflow-sbom-2.10.3-python3.12-python-only.json
, it identifies the artifact being described by those SBOMs aspkg:npm/[email protected]
andpkg:application/[email protected]
. These are Purls, but I'm pretty sure Airflow is not an npm package, andapplication
does not exist as purl type entirely.What you think should happen instead?
pypi
Purl type. If it described Airflow more 'in the abstract', perhaps we should use thegeneric
Purl type or introduce anasf
purl typeHow to reproduce
Generate the SBOMs
Operating System
n/a
Versions of Apache Airflow Providers
No response
Deployment
Other
Deployment details
No response
Anything else?
Part of this may be an upstream issue in https://github.com/CycloneDX/cdxgen , but I figured it would be good to first determine what we want to achieve 'concretely' here, and only look at what changes we may or may not need to generalize in upstream tooling after that.
Are you willing to submit PR?
Code of Conduct
The text was updated successfully, but these errors were encountered: