osv-scanner: No package sources found Error when scanning SBOMs

I have generated a valid spdx file from VCPKG, then I try to use it with osv-scanner, but it generates no package sources found. Can you please help me with this issue? vcpkg.spdx.zip

About this issue

Original URL
State: closed
Created 2 years ago
Comments: 16 (1 by maintainers)

Commits related to this issue

Better SBOM documentation and error message (#349) Closes #335 #290 #93 #347 (Turns out we have a bunch of duplicate issues all roughly tracking the same thing) --------- Co-authored-by: Hayle... — committed to google/osv-scanner by another-rex a year ago

Most upvoted comments

spdx-sbom-generator does not work with osv-scanner at the moment because we rely on package url from SBOMs, which spdx-sbom-generator does not generate.

Looking at the output of sbom-spdx-generator, it has the full package name, but the main element that’s missing for osv-scanner is what ecosystem the package belongs to. If we don’t have that, osv-scanner cannot scan it.

We should improve the documentation and osv-scanner’s error output for SBOM scanning to clarify this.

another-rex on Mar 13, 2023