Skip to content

Improve SPDX import by generating generic PURLs when missing#2049

Open
Monal-Reddy wants to merge 1 commit intoaboutcode-org:mainfrom
Monal-Reddy:fix-spdx-generic-purl
Open

Improve SPDX import by generating generic PURLs when missing#2049
Monal-Reddy wants to merge 1 commit intoaboutcode-org:mainfrom
Monal-Reddy:fix-spdx-generic-purl

Conversation

@Monal-Reddy
Copy link

@Monal-Reddy Monal-Reddy commented Feb 7, 2026

Fixes #1914

This PR improves the load_sbom pipeline handling of SPDX SBOMs by generating a fallback pkg:generic PURL when an SPDX package does not provide an explicit PURL but does include a name and version.

This avoids classifying such packages as pkg:unknown, improving package typing and downstream reporting for SPDX-based Python SBOMs.

Tested locally using ScanCode.io with:

  • Python-3.13.9.tgz.spdx.json
  • load_sbom pipeline

Previously affected packages such as CPython, expat, libb2, and mpdecimal are now correctly represented as pkg:generic/*.

@Monal-Reddy
Improve SPDX import by generating generic PURLs when missing
0216709 
Signed-off-by: Monal-Reddy <monalreddy001@gmail.com>
@Monal-Reddy
Copy link
Author

Monal-Reddy commented Feb 14, 2026

For reference, here is the result after applying this fix locally.

Packages previously classified as pkg:unknown/* are now resolved as pkg:generic/* when loading the Python 3.13.9 SPDX SBOM via load_sbom.

Image
image

I found this an interesting area, if this looks good to you, i'd be happy to work on the subsequent issues as u have mentioned

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Improve SPDX import from Python SBOMs

1 participant

@Monal-Reddy

Comments