From 48190233f4de9ae62b2a89e7b50345ceff174277 Mon Sep 17 00:00:00 2001
From: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Date: Wed, 4 Dec 2024 14:58:36 -0500
Subject: [PATCH] fix: emit NOASSERTION for copyright text to fix SPDX 2.2
 validation failure (#3495)

* fixes issue #3346

Signed-off-by: Fearkin <fearjin1@gmail.com>

* chore: update schema and unit tests to reflect new copyright property

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>

* chore: revert schema changes

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>

* fix: noassert copyright on spdx root package

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* test: explicitly test spdx 2.2 with tools-java validator

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

* test: update snapshot files

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

---------

Signed-off-by: Fearkin <fearjin1@gmail.com>
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
Co-authored-by: Fearkin <fearjin1@gmail.com>
Co-authored-by: Will Murphy <willmurphyscode@users.noreply.github.com>
---
 .../common/spdxhelpers/to_format_model.go     |  10 +-
 .../snapshot/TestSPDXJSONImageEncoder.golden  | 106 ++++++++
 .../snapshot/TestSPDXRelationshipOrder.golden | 246 ++++++++++++++++++
 .../stereoscope-fixture-image-simple.golden   | Bin 15360 -> 17408 bytes
 .../TestSPDX22JSONRequredProperties.golden    |   4 +-
 .../TestSPDXJSONDirectoryEncoder.golden       |   1 +
 .../snapshot/TestSPDXJSONImageEncoder.golden  |   1 +
 .../snapshot/TestSPDXRelationshipOrder.golden |  13 +-
 .../snapshot/TestSPDXJSONSPDXIDs.golden       |   1 +
 .../snapshot/TestSPDXRelationshipOrder.golden |   7 +
 .../TestSPDXTagValueDirectoryEncoder.golden   |   1 +
 .../TestSPDXTagValueImageEncoder.golden       |   1 +
 .../snapshot/TestImageEncoder.golden          |  16 +-
 .../snapshot/TestTextImageEncoder.golden      |   4 +-
 test/cli/spdx_tooling_validation_test.go      |  12 +
 15 files changed, 401 insertions(+), 22 deletions(-)
 create mode 100644 syft/format/internal/testutil/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
 create mode 100644 syft/format/internal/testutil/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden

diff --git a/syft/format/common/spdxhelpers/to_format_model.go b/syft/format/common/spdxhelpers/to_format_model.go
index 643c5aa9f..4adf40e68 100644
--- a/syft/format/common/spdxhelpers/to_format_model.go
+++ b/syft/format/common/spdxhelpers/to_format_model.go
@@ -247,6 +247,7 @@ func toRootPackage(s source.Description) *spdx.Package {
 		PackageSupplier: &spdx.Supplier{
 			Supplier: helpers.NOASSERTION,
 		},
+		PackageCopyrightText:    helpers.NOASSERTION,
 		PackageDownloadLocation: helpers.NOASSERTION,
 		PackageLicenseConcluded: helpers.NOASSERTION,
 		PackageLicenseDeclared:  helpers.NOASSERTION,
@@ -631,10 +632,11 @@ func toFiles(s sbom.SBOM) (results []*spdx.File) {
 			FileSPDXIdentifier: toSPDXID(coordinates),
 			FileComment:        comment,
 			// required, no attempt made to determine license information
-			LicenseConcluded: noAssertion,
-			Checksums:        toFileChecksums(digests),
-			FileName:         coordinates.RealPath,
-			FileTypes:        toFileTypes(metadata),
+			LicenseConcluded:  noAssertion,
+			FileCopyrightText: noAssertion,
+			Checksums:         toFileChecksums(digests),
+			FileName:          coordinates.RealPath,
+			FileTypes:         toFileTypes(metadata),
 			LicenseInfoInFiles: []string{ // required in SPDX 2.2
 				helpers.NOASSERTION,
 			},
diff --git a/syft/format/internal/testutil/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden b/syft/format/internal/testutil/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
new file mode 100644
index 000000000..737aed468
--- /dev/null
+++ b/syft/format/internal/testutil/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
@@ -0,0 +1,106 @@
+{
+ "spdxVersion": "SPDX-2.3",
+ "dataLicense": "CC0-1.0",
+ "SPDXID": "SPDXRef-DOCUMENT",
+ "name": "user-image-input",
+ "documentNamespace":"redacted",
+ "creationInfo": {
+  "licenseListVersion":"redacted",
+  "creators": [
+   "Organization: Anchore, Inc",
+   "Tool: syft-v0.42.0-bogus"
+  ],
+  "created":"redacted"
+ },
+ "packages": [
+  {
+   "name": "package-1",
+   "SPDXID": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
+   "versionInfo": "1.0.1",
+   "supplier": "NOASSERTION",
+   "downloadLocation": "NOASSERTION",
+   "filesAnalyzed": false,
+   "sourceInfo": "acquired package info from installed python package manifest file: /somefile-1.txt",
+   "licenseConcluded": "NOASSERTION",
+   "licenseDeclared": "MIT",
+   "copyrightText": "NOASSERTION",
+   "externalRefs": [
+    {
+     "referenceCategory": "SECURITY",
+     "referenceType": "cpe23Type",
+     "referenceLocator": "cpe:2.3:*:some:package:1:*:*:*:*:*:*:*"
+    },
+    {
+     "referenceCategory": "PACKAGE-MANAGER",
+     "referenceType": "purl",
+     "referenceLocator": "a-purl-1"
+    }
+   ]
+  },
+  {
+   "name": "package-2",
+   "SPDXID": "SPDXRef-Package-deb-package-2-4b756c6f6fb127a3",
+   "versionInfo": "2.0.1",
+   "supplier": "NOASSERTION",
+   "downloadLocation": "NOASSERTION",
+   "filesAnalyzed": false,
+   "sourceInfo": "acquired package info from DPKG DB: /somefile-2.txt",
+   "licenseConcluded": "NOASSERTION",
+   "licenseDeclared": "NOASSERTION",
+   "copyrightText": "NOASSERTION",
+   "externalRefs": [
+    {
+     "referenceCategory": "SECURITY",
+     "referenceType": "cpe23Type",
+     "referenceLocator": "cpe:2.3:*:some:package:2:*:*:*:*:*:*:*"
+    },
+    {
+     "referenceCategory": "PACKAGE-MANAGER",
+     "referenceType": "purl",
+     "referenceLocator": "pkg:deb/debian/package-2@2.0.1"
+    }
+   ]
+  },
+  {
+   "name": "user-image-input",
+   "SPDXID": "SPDXRef-DocumentRoot-Image-user-image-input",
+   "versionInfo": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368",
+   "supplier": "NOASSERTION",
+   "downloadLocation": "NOASSERTION",
+   "filesAnalyzed": false,
+   "checksums": [
+    {
+     "algorithm": "SHA256",
+     "checksumValue": "2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368"
+    }
+   ],
+   "licenseConcluded": "NOASSERTION",
+   "licenseDeclared": "NOASSERTION",
+   "externalRefs": [
+    {
+     "referenceCategory": "PACKAGE-MANAGER",
+     "referenceType": "purl",
+     "referenceLocator": "pkg:oci/user-image-input@sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368?arch="
+    }
+   ],
+   "primaryPackagePurpose": "CONTAINER"
+  }
+ ],
+ "relationships": [
+  {
+   "spdxElementId": "SPDXRef-DocumentRoot-Image-user-image-input",
+   "relatedSpdxElement": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
+   "relationshipType": "CONTAINS"
+  },
+  {
+   "spdxElementId": "SPDXRef-DocumentRoot-Image-user-image-input",
+   "relatedSpdxElement": "SPDXRef-Package-deb-package-2-4b756c6f6fb127a3",
+   "relationshipType": "CONTAINS"
+  },
+  {
+   "spdxElementId": "SPDXRef-DOCUMENT",
+   "relatedSpdxElement": "SPDXRef-DocumentRoot-Image-user-image-input",
+   "relationshipType": "DESCRIBES"
+  }
+ ]
+}
diff --git a/syft/format/internal/testutil/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden b/syft/format/internal/testutil/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
new file mode 100644
index 000000000..91df6366f
--- /dev/null
+++ b/syft/format/internal/testutil/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
@@ -0,0 +1,246 @@
+{
+ "spdxVersion": "SPDX-2.3",
+ "dataLicense": "CC0-1.0",
+ "SPDXID": "SPDXRef-DOCUMENT",
+ "name": "user-image-input",
+ "documentNamespace":"redacted",
+ "creationInfo": {
+  "licenseListVersion":"redacted",
+  "creators": [
+   "Organization: Anchore, Inc",
+   "Tool: syft-v0.42.0-bogus"
+  ],
+  "created":"redacted"
+ },
+ "packages": [
+  {
+   "name": "package-1",
+   "SPDXID": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
+   "versionInfo": "1.0.1",
+   "supplier": "NOASSERTION",
+   "downloadLocation": "NOASSERTION",
+   "filesAnalyzed": false,
+   "sourceInfo": "acquired package info from installed python package manifest file: /somefile-1.txt",
+   "licenseConcluded": "NOASSERTION",
+   "licenseDeclared": "MIT",
+   "copyrightText": "NOASSERTION",
+   "externalRefs": [
+    {
+     "referenceCategory": "SECURITY",
+     "referenceType": "cpe23Type",
+     "referenceLocator": "cpe:2.3:*:some:package:1:*:*:*:*:*:*:*"
+    },
+    {
+     "referenceCategory": "PACKAGE-MANAGER",
+     "referenceType": "purl",
+     "referenceLocator": "a-purl-1"
+    }
+   ]
+  },
+  {
+   "name": "package-2",
+   "SPDXID": "SPDXRef-Package-deb-package-2-4b756c6f6fb127a3",
+   "versionInfo": "2.0.1",
+   "supplier": "NOASSERTION",
+   "downloadLocation": "NOASSERTION",
+   "filesAnalyzed": false,
+   "sourceInfo": "acquired package info from DPKG DB: /somefile-2.txt",
+   "licenseConcluded": "NOASSERTION",
+   "licenseDeclared": "NOASSERTION",
+   "copyrightText": "NOASSERTION",
+   "externalRefs": [
+    {
+     "referenceCategory": "SECURITY",
+     "referenceType": "cpe23Type",
+     "referenceLocator": "cpe:2.3:*:some:package:2:*:*:*:*:*:*:*"
+    },
+    {
+     "referenceCategory": "PACKAGE-MANAGER",
+     "referenceType": "purl",
+     "referenceLocator": "pkg:deb/debian/package-2@2.0.1"
+    }
+   ]
+  },
+  {
+   "name": "user-image-input",
+   "SPDXID": "SPDXRef-DocumentRoot-Image-user-image-input",
+   "versionInfo": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368",
+   "supplier": "NOASSERTION",
+   "downloadLocation": "NOASSERTION",
+   "filesAnalyzed": false,
+   "checksums": [
+    {
+     "algorithm": "SHA256",
+     "checksumValue": "2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368"
+    }
+   ],
+   "licenseConcluded": "NOASSERTION",
+   "licenseDeclared": "NOASSERTION",
+   "externalRefs": [
+    {
+     "referenceCategory": "PACKAGE-MANAGER",
+     "referenceType": "purl",
+     "referenceLocator": "pkg:oci/user-image-input@sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368?arch="
+    }
+   ],
+   "primaryPackagePurpose": "CONTAINER"
+  }
+ ],
+ "files": [
+  {
+   "fileName": "/a1/f6",
+   "SPDXID": "SPDXRef-File-a1-f6-9c2f7510199b17f6",
+   "fileTypes": [
+    "OTHER"
+   ],
+   "checksums": [
+    {
+     "algorithm": "SHA1",
+     "checksumValue": "0000000000000000000000000000000000000000"
+    }
+   ],
+   "licenseConcluded": "NOASSERTION",
+   "licenseInfoInFiles": [
+    "NOASSERTION"
+   ],
+   "copyrightText": "NOASSERTION"
+  },
+  {
+   "fileName": "/d1/f3",
+   "SPDXID": "SPDXRef-File-d1-f3-c6f5b29dca12661f",
+   "fileTypes": [
+    "OTHER"
+   ],
+   "checksums": [
+    {
+     "algorithm": "SHA1",
+     "checksumValue": "0000000000000000000000000000000000000000"
+    }
+   ],
+   "licenseConcluded": "NOASSERTION",
+   "licenseInfoInFiles": [
+    "NOASSERTION"
+   ],
+   "copyrightText": "NOASSERTION"
+  },
+  {
+   "fileName": "/d2/f4",
+   "SPDXID": "SPDXRef-File-d2-f4-c641caa71518099f",
+   "fileTypes": [
+    "OTHER"
+   ],
+   "checksums": [
+    {
+     "algorithm": "SHA1",
+     "checksumValue": "0000000000000000000000000000000000000000"
+    }
+   ],
+   "licenseConcluded": "NOASSERTION",
+   "licenseInfoInFiles": [
+    "NOASSERTION"
+   ],
+   "copyrightText": "NOASSERTION"
+  },
+  {
+   "fileName": "/f1",
+   "SPDXID": "SPDXRef-File-f1-5265a4dde3edbf7c",
+   "fileTypes": [
+    "OTHER"
+   ],
+   "checksums": [
+    {
+     "algorithm": "SHA1",
+     "checksumValue": "0000000000000000000000000000000000000000"
+    }
+   ],
+   "licenseConcluded": "NOASSERTION",
+   "licenseInfoInFiles": [
+    "NOASSERTION"
+   ],
+   "copyrightText": "NOASSERTION"
+  },
+  {
+   "fileName": "/f2",
+   "SPDXID": "SPDXRef-File-f2-f9e49132a4b96ccd",
+   "fileTypes": [
+    "OTHER"
+   ],
+   "checksums": [
+    {
+     "algorithm": "SHA1",
+     "checksumValue": "0000000000000000000000000000000000000000"
+    }
+   ],
+   "licenseConcluded": "NOASSERTION",
+   "licenseInfoInFiles": [
+    "NOASSERTION"
+   ],
+   "copyrightText": "NOASSERTION"
+  },
+  {
+   "fileName": "/z1/f5",
+   "SPDXID": "SPDXRef-File-z1-f5-839d99ee67d9d174",
+   "fileTypes": [
+    "OTHER"
+   ],
+   "checksums": [
+    {
+     "algorithm": "SHA1",
+     "checksumValue": "0000000000000000000000000000000000000000"
+    }
+   ],
+   "licenseConcluded": "NOASSERTION",
+   "licenseInfoInFiles": [
+    "NOASSERTION"
+   ],
+   "copyrightText": "NOASSERTION"
+  }
+ ],
+ "relationships": [
+  {
+   "spdxElementId": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
+   "relatedSpdxElement": "SPDXRef-File-f1-5265a4dde3edbf7c",
+   "relationshipType": "CONTAINS"
+  },
+  {
+   "spdxElementId": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
+   "relatedSpdxElement": "SPDXRef-File-z1-f5-839d99ee67d9d174",
+   "relationshipType": "CONTAINS"
+  },
+  {
+   "spdxElementId": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
+   "relatedSpdxElement": "SPDXRef-File-a1-f6-9c2f7510199b17f6",
+   "relationshipType": "CONTAINS"
+  },
+  {
+   "spdxElementId": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
+   "relatedSpdxElement": "SPDXRef-File-d2-f4-c641caa71518099f",
+   "relationshipType": "CONTAINS"
+  },
+  {
+   "spdxElementId": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
+   "relatedSpdxElement": "SPDXRef-File-d1-f3-c6f5b29dca12661f",
+   "relationshipType": "CONTAINS"
+  },
+  {
+   "spdxElementId": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
+   "relatedSpdxElement": "SPDXRef-File-f2-f9e49132a4b96ccd",
+   "relationshipType": "CONTAINS"
+  },
+  {
+   "spdxElementId": "SPDXRef-DocumentRoot-Image-user-image-input",
+   "relatedSpdxElement": "SPDXRef-Package-python-package-1-c5cf7ac34cbca450",
+   "relationshipType": "CONTAINS"
+  },
+  {
+   "spdxElementId": "SPDXRef-DocumentRoot-Image-user-image-input",
+   "relatedSpdxElement": "SPDXRef-Package-deb-package-2-4b756c6f6fb127a3",
+   "relationshipType": "CONTAINS"
+  },
+  {
+   "spdxElementId": "SPDXRef-DOCUMENT",
+   "relatedSpdxElement": "SPDXRef-DocumentRoot-Image-user-image-input",
+   "relationshipType": "DESCRIBES"
+  }
+ ]
+}
diff --git a/syft/format/internal/testutil/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/syft/format/internal/testutil/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
index 888146329626231a4e0190a5e7929e777a0e8156..90b0e78e6bd8375113c8fa5637f935cbc38063af 100644
GIT binary patch
literal 17408
zcmeHOZExE)5YFfQ3QzmESSBgH$-q8zZGjFL&|%FwU`0{zHPLEIh9n2cg8cWLB)=((
z>$I}EWRsA<B1N8#N8a)7;YrUjT})1Ty%1c2v6Jc-uDic=9i{>kM5*B71Ys0$d@^Fa
za<wA9EJ~FFOI_bp4{c{~UFm(L{<@z3;zAL|`&tH-XdXQO0@eq{5s!xX{~Al6HUG#u
z79kQ-CxkQ7Bc~h|5s$G`#4<}=jI4>3XCAva#*t?Z>J;?Dj8M6U;cEUlrFZpyU52jc
zq^19aL|`sPopo{#KdtKjx&Ge-i4CR!;VQ<+z_h~>z*J+3j26OhZB<Nh#H8}nDlH`v
z)I|nS7SjkCTgJGIWN;cRRPNFeXep!+k|x&93T&tnOdBE%gYKSNBdB+jN+q=v*a@a0
zOky4*9En&XE(Fjrxl^U98AF7QF&-m&hUgSWQyPU4MGOfn*dJBXEG<=%y8Hv&`Q$v9
z-UP3*qD<A?0W;9zMK*^9+wyOP%bO?9%2Jt&H>FL|VCvPZaHqkhE?dH2?pC@Sx~?kE
z%InSj>xE0(bn4RU)BqE!_Ak@RV45yxv(w=D9LCn%{xnzTD@NaDv*p|s>nFcw`Nt$Z
zf03-XeVLZ|^&(3uAvb+rr#~)}*@o25O1s&r`)w_m$1jg}!7tCwUi~mx7WrhB88w>}
zI!UKH<xO$>pss3)a2ve;5`j)&WqhtgRc<bl(wTCZS5v0umQx^;fy{$hk}j`;+m>y4
z0)>|S#~e`&=3Q9rqS*1u#52XIQ&eJy40kGyJhsL}E{d48H0Ca53~54yre@E057>Xi
z3BGIp38#bo-y_bWR<G>;QEfJk1sWr;+4u~hY5g}?>Q7nff6;)n^uJPe&ZHyMD;*Q?
z{$gjiH-r)E43n|sh8l3@WemHowA4nz2uCBYHJFEe@!A3X$Apl(`X50UIQV}@)%5#`
z-2{6!wXHW*`z=S>r&~VFB&fWUhr4<gNl|7wI9=~<4s|0)!tTXoZFibCe9+J{c=qDO
z$R{&5#$kC?jwVGmcRS_pM!NE-J|<=DTF&Q<OS`TNZDu~Yyy_5MB4Ga@BQ00;UPj0r
zMw;?xG6F8pjuANx@+>PoxFt71dA+E7m6^JBc>#m6iT5883(wvKP1rxR-g(EdG!h(e
z2?gY1BRp1wOHh4mE%*Z{vYZR)sfxXZb^^S9Y^Bqb0o4_yNLmZNJ{4YbZIriyBCM(Q
zL>P<^1QyJ41oj0XZLpLwhL{5a4P!0*a}&J3eR3Yu{d)COYTNd|<Mizr^a1-1i{T&f
zKcz$bzek$Kt=`zb+Uy*c_L|y(`A296|3N6K@IMieVgFytug~9l?<1oMMS-oZ__oh?
z4YUUd3=$Y5Fi7C>NTB8a0jMun#Ngy7mI{CXfcOZvfWVu`M6o8)b2yl_4zZZS69y;&
zrkpAzgowd++%v2L`#(k$_WbR2f(QVSaQ-`-|LhUy5vy;4!d$qydJEBElEE<uISuB{
zChDw-8`WYlON=Vv+2k^{VP=vrsg5kdxk?l7iZZ;!-~U-a*WD9`hmmM7h8+SnIR}am
zuCC+Bj(}7ZnI?Zh{0oa2u!dC-T;T@~W3cW3{DqJsP{+<~_Kp!a*X%*&1Mqhwt~v+d
zYoXO#y&nSdBdXh@Bh|A1UDxxT(H*e=_r?D#g8Yxc{_hd!5vw=xe~pJ8k?;<w1M?5@
zKi}a0oA`gg|92$V-)#w?dJTw=E>y9B0s4F2KzWeBAb~*wg9ILj1d`OctFVgS`s3%&
z{x2Zsca#6w<o^<m2LG?W8QD_)^7y}5IosfWjR#aG%MXoY*L^+#0d&QrHV^=#;xtfc
znw2%0Q6G*cSy-KX)cK=!g=?%5MVpiUFv%vfMCU5Mo)o3aT~?TE;l@6>s*(W5H54)~
zlKEohrjjAf4Z}!EZ7qRBSD|DKiP8=s8Y9o)DUF>V-W$l86R0}#cDTy3Cd4oetY-On
z2=vnpSH+5}-1%_DS?AZ>-fn~X%?$Kt0uJauW|*|`KREwG!};%4Nqf8lReiq7n+{r7
zK-XL_Sj@k=MRumnn^cqDl?PH_er}RnAhV@4l&-J_45dY{Gr+cH^-Z?SO_lHsR=EBG
zXWE%GkoqEMvw=w~#IH&bYQvnJnF8qbSgA&RjIZ<hxCM*)O^-_2BWb|%$AEIf#}56y
z<beGL$Opdp+g?@v2f>5=?{7kOC`0~tb(#Z~6PCc{5NH(O5QUK7xYKgD{Vz%&hdsJT
zAgwlWMPK7Pr2l05ZE)4J(tlok|2yFSea*<0E_faXJhRF>=^S!QgYHhm?GxQ%x56Io
O1_=xj7$oqBB=9#~`e?=g

literal 15360
zcmeHOTW{Mo6!!Ceg~z@6!iy+U2KLZ31zMn3iZ<(j6-7Z&hly5OG9<ZZ5ahq_NOm0C
zL#n27gtVn#K;l)@cX*`p@uOuTlnoWNJPNtel5!inFrpfC5Nek&6GP-;Fb1NSg)zg5
zRC8*$64u4RbkKfKJd~7!`i#fnxyfUJq>?Mjs2WgCIg^8-Z11{zja6Bh0*BPKr{>Xi
z9<FPDJ++rz?f>@K>o+e>|NPQ$YiPnCIJEms8cW4s-~Nota4_s_lP?YGrtBxTKb!P|
z@(tSl{KydK?En9kdDikwZT=r}cIf|%QSbjPupXuOilhmdk*?E#jEF73R8V)uB1OlP
z;qQ#nS@Zj+u8?PyNi!%u;FU|y$?S?e&&w(^3&2)b<0M~Th1>LBB^2wDCsk$a#hWTg
zGct2#Uc!iM^YT^o|4b;b>89pcb-BGhT|&0sPm?;$EDmB*|5^5l%(B&dJ|a&S_(bc=
z7YlQ~8R*-5zFI(eQ}TCSd`z?RlXNrMXIWKTF7q_Qajn~)W`C^G`L?T<7*)+T&96r!
z$4fF#v(;yEeH5#HeJ5QFKb@OPC?<6bb?4FI{{faC_&=vYc>li>&?6R<`2t)zhcTN}
zpQ|Hwywg>S{VC;PV}HS^!a#9A8B+nq|Gh*eKY9FDU8Lo(o&duOQx5A_G-Oq|V?2N9
z5%36j1Uv#iBm%KhT7VHWFv3wDOREwN79?kyQYQh=96||+jAO}I=%muXR1$*bF$9zD
z{EzYAF#f|;K<>Z)eN4D3VhVeaR$!}DQL`IUEW%*T);1iiVMFi8t0!mAf1j?(Vmi;Q
znNQ0&&1O64ZSuCD$yz7zlDr?0J*G6p+w2h|q(ZkW5*LBRm_}o+&lsO^F%xovR3TJc
zYgzM2j9jX`KxX&us->BTM5IH>8Wy^ysUKo&NS>UWG{Mh0`W;U9qv7Fi!?<Q`AJeJ<
zWU;{52wUA`PLkYygrbg~CZ8y|9<_~QZ}^)hJs1eD!|<Jftkd@#2m-xBDMzHp^U5K|
zydu@*vNm!<+Dd$=Bz5jXnqb*GQeGHbcAYUw6KSM$5f$7SFbUVO3b=Ac;ERAl;3$*Y
z=@5*L5*h*v@a!nHv9_VZUN=2q-0$LuQ>r7H2*V;Kbf9#MIb7h+(!>I@G7u88l;t`U
ziiJv3M}r7r^8UJSI^2iLJ*s<HE@VU_W<z5w1*ZiyK_o#-89S{(1#zTwqNN3u;37Rh
z0%&*@2oVc>aX*m$!=&>1PahMdv;7}P|KWc9w-56Vy#CV*%#Zdao&Em^@jrh357vJf
zmCVQgeN38-{?m0DV9>WT#X3ChDk;>l_Et-3WdUAQx=U61E>yN7@yh$lbT#?BuTFOd
zRo>xR-yL7+>i7?%|1qV!{?o_nf3RKgXcihC=9caH-}?K%r~mo*|6z=A&}*ap@~!aq
z>p`(kdIUTI9s!TQ4~oFTWT}I)`WhYYTOnxs{!1x#_JZU8191Nj^Zfr?;l5Wp)Xtu6
zc4LyGXu(LUUc)j!Gv{kjse%IX(&kGTyYzD{GLF-FBjvbE7t1-!@GmD}XeFas$4SCf
z;1tSA5Jf;y1fnj)QWS#}cg{vqD%6QkduG~E;M__SiALmQy$7+mUDvgTTRKy(LUh$e
zwtFK{$$J0Gz3kFg<pOP0rl_N)@L;>X+Wep2{x_(uTKj((djIcb3S5!0#Y1b^xU-Ya
aIy)1&zJ8n@)Qg$?O*{e~0gu4Z5%>?wzl}ox

diff --git a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDX22JSONRequredProperties.golden b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDX22JSONRequredProperties.golden
index 118247b1d..8614a8c6d 100644
--- a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDX22JSONRequredProperties.golden
+++ b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDX22JSONRequredProperties.golden
@@ -48,7 +48,7 @@
   },
   {
    "SPDXID": "SPDXRef-DocumentRoot-Unknown-",
-   "copyrightText": "",
+   "copyrightText": "NOASSERTION",
    "downloadLocation": "NOASSERTION",
    "filesAnalyzed": false,
    "licenseConcluded": "NOASSERTION",
@@ -71,7 +71,7 @@
    "licenseInfoInFiles": [
     "NOASSERTION"
    ],
-   "copyrightText": "",
+   "copyrightText": "NOASSERTION",
    "comment": "layerID: ac897d978b6c38749a1"
   }
  ],
diff --git a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden
index 35433f6f5..6298e796a 100644
--- a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden
+++ b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden
@@ -69,6 +69,7 @@
    "filesAnalyzed": false,
    "licenseConcluded": "NOASSERTION",
    "licenseDeclared": "NOASSERTION",
+   "copyrightText": "NOASSERTION",
    "primaryPackagePurpose": "FILE"
   }
  ],
diff --git a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
index 737aed468..f2c43a5ef 100644
--- a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
+++ b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
@@ -76,6 +76,7 @@
    ],
    "licenseConcluded": "NOASSERTION",
    "licenseDeclared": "NOASSERTION",
+   "copyrightText": "NOASSERTION",
    "externalRefs": [
     {
      "referenceCategory": "PACKAGE-MANAGER",
diff --git a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
index 54533ae4c..138166baa 100644
--- a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
+++ b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
@@ -76,6 +76,7 @@
    ],
    "licenseConcluded": "NOASSERTION",
    "licenseDeclared": "NOASSERTION",
+   "copyrightText": "NOASSERTION",
    "externalRefs": [
     {
      "referenceCategory": "PACKAGE-MANAGER",
@@ -103,7 +104,7 @@
    "licenseInfoInFiles": [
     "NOASSERTION"
    ],
-   "copyrightText": ""
+   "copyrightText": "NOASSERTION"
   },
   {
    "fileName": "/d1/f3",
@@ -121,7 +122,7 @@
    "licenseInfoInFiles": [
     "NOASSERTION"
    ],
-   "copyrightText": ""
+   "copyrightText": "NOASSERTION"
   },
   {
    "fileName": "/d2/f4",
@@ -139,7 +140,7 @@
    "licenseInfoInFiles": [
     "NOASSERTION"
    ],
-   "copyrightText": ""
+   "copyrightText": "NOASSERTION"
   },
   {
    "fileName": "/f1",
@@ -157,7 +158,7 @@
    "licenseInfoInFiles": [
     "NOASSERTION"
    ],
-   "copyrightText": ""
+   "copyrightText": "NOASSERTION"
   },
   {
    "fileName": "/f2",
@@ -175,7 +176,7 @@
    "licenseInfoInFiles": [
     "NOASSERTION"
    ],
-   "copyrightText": ""
+   "copyrightText": "NOASSERTION"
   },
   {
    "fileName": "/z1/f5",
@@ -193,7 +194,7 @@
    "licenseInfoInFiles": [
     "NOASSERTION"
    ],
-   "copyrightText": ""
+   "copyrightText": "NOASSERTION"
   }
  ],
  "relationships": [
diff --git a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden
index dd946aa23..626f0ea53 100644
--- a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden
+++ b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden
@@ -18,6 +18,7 @@ PrimaryPackagePurpose: FILE
 FilesAnalyzed: false
 PackageLicenseConcluded: NOASSERTION
 PackageLicenseDeclared: NOASSERTION
+PackageCopyrightText: NOASSERTION
 
 ##### Package: @at-sign
 
diff --git a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
index 75cab71eb..ac7a8585d 100644
--- a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
+++ b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
@@ -16,6 +16,7 @@ FileType: OTHER
 FileChecksum: SHA1: 0000000000000000000000000000000000000000
 LicenseConcluded: NOASSERTION
 LicenseInfoInFile: NOASSERTION
+FileCopyrightText: NOASSERTION
 
 FileName: /d1/f3
 SPDXID: SPDXRef-File-d1-f3-c6f5b29dca12661f
@@ -23,6 +24,7 @@ FileType: OTHER
 FileChecksum: SHA1: 0000000000000000000000000000000000000000
 LicenseConcluded: NOASSERTION
 LicenseInfoInFile: NOASSERTION
+FileCopyrightText: NOASSERTION
 
 FileName: /d2/f4
 SPDXID: SPDXRef-File-d2-f4-c641caa71518099f
@@ -30,6 +32,7 @@ FileType: OTHER
 FileChecksum: SHA1: 0000000000000000000000000000000000000000
 LicenseConcluded: NOASSERTION
 LicenseInfoInFile: NOASSERTION
+FileCopyrightText: NOASSERTION
 
 FileName: /f1
 SPDXID: SPDXRef-File-f1-5265a4dde3edbf7c
@@ -37,6 +40,7 @@ FileType: OTHER
 FileChecksum: SHA1: 0000000000000000000000000000000000000000
 LicenseConcluded: NOASSERTION
 LicenseInfoInFile: NOASSERTION
+FileCopyrightText: NOASSERTION
 
 FileName: /f2
 SPDXID: SPDXRef-File-f2-f9e49132a4b96ccd
@@ -44,6 +48,7 @@ FileType: OTHER
 FileChecksum: SHA1: 0000000000000000000000000000000000000000
 LicenseConcluded: NOASSERTION
 LicenseInfoInFile: NOASSERTION
+FileCopyrightText: NOASSERTION
 
 FileName: /z1/f5
 SPDXID: SPDXRef-File-z1-f5-839d99ee67d9d174
@@ -51,6 +56,7 @@ FileType: OTHER
 FileChecksum: SHA1: 0000000000000000000000000000000000000000
 LicenseConcluded: NOASSERTION
 LicenseInfoInFile: NOASSERTION
+FileCopyrightText: NOASSERTION
 
 ##### Package: user-image-input
 
@@ -64,6 +70,7 @@ FilesAnalyzed: false
 PackageChecksum: SHA256: 2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368
 PackageLicenseConcluded: NOASSERTION
 PackageLicenseDeclared: NOASSERTION
+PackageCopyrightText: NOASSERTION
 ExternalRef: PACKAGE-MANAGER purl pkg:oci/user-image-input@sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368?arch=
 
 ##### Package: package-2
diff --git a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
index bccd8acc0..77a52d6f3 100644
--- a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
+++ b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
@@ -18,6 +18,7 @@ PrimaryPackagePurpose: FILE
 FilesAnalyzed: false
 PackageLicenseConcluded: NOASSERTION
 PackageLicenseDeclared: NOASSERTION
+PackageCopyrightText: NOASSERTION
 
 ##### Package: package-2
 
diff --git a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
index c93fb6329..8818fda7a 100644
--- a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
+++ b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
@@ -20,6 +20,7 @@ FilesAnalyzed: false
 PackageChecksum: SHA256: 2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368
 PackageLicenseConcluded: NOASSERTION
 PackageLicenseDeclared: NOASSERTION
+PackageCopyrightText: NOASSERTION
 ExternalRef: PACKAGE-MANAGER purl pkg:oci/user-image-input@sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368?arch=
 
 ##### Package: package-2
diff --git a/syft/format/syftjson/test-fixtures/snapshot/TestImageEncoder.golden b/syft/format/syftjson/test-fixtures/snapshot/TestImageEncoder.golden
index f013f2026..5168d855c 100644
--- a/syft/format/syftjson/test-fixtures/snapshot/TestImageEncoder.golden
+++ b/syft/format/syftjson/test-fixtures/snapshot/TestImageEncoder.golden
@@ -9,7 +9,7 @@
    "locations": [
     {
      "path": "/somefile-1.txt",
-     "layerID": "sha256:100d5a55f9032faead28b7427fa3e650e4f0158f86ea89d06e1489df00cb8c6f",
+     "layerID": "sha256:dfefe618c89b08fef0f9c7f1a2682521dddbe03d6678f4a9fb9b078381d8eb45",
      "accessPath": "/somefile-1.txt"
     }
    ],
@@ -49,7 +49,7 @@
    "locations": [
     {
      "path": "/somefile-2.txt",
-     "layerID": "sha256:000fb9200890d3a19138478b20023023c0dce1c54352007c2863716780f049eb",
+     "layerID": "sha256:38ddc2847fb6bcafd7401b4bf27c10014b5d60e2400bc188890c7cb7cdd7cd6c",
      "accessPath": "/somefile-2.txt"
     }
    ],
@@ -77,13 +77,13 @@
  ],
  "artifactRelationships": [],
  "source": {
-  "id": "34d40fdc6ca13e9a3fa18415db216b50bff047716fae7d95a225c09732fe83fb",
+  "id": "62d3f24eca2930d1ebfe6ee78ef47964fd8dc624b2e22886275facf322d1720a",
   "name": "user-image-input",
   "version": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368",
   "type": "image",
   "metadata": {
    "userInput": "user-image-input",
-   "imageID": "sha256:bf783ea304a3f02b5c7d2ece521800f5e2182e65ed5bb5116f578e17d6e82be4",
+   "imageID": "sha256:35a6658e24fab92eae9ec6fc252dec58986c4c007891758d4d37c7e43fbbe0c5",
    "manifestDigest": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368",
    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
    "tags": [
@@ -93,17 +93,17 @@
    "layers": [
     {
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
-     "digest": "sha256:100d5a55f9032faead28b7427fa3e650e4f0158f86ea89d06e1489df00cb8c6f",
+     "digest": "sha256:dfefe618c89b08fef0f9c7f1a2682521dddbe03d6678f4a9fb9b078381d8eb45",
      "size": 22
     },
     {
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
-     "digest": "sha256:000fb9200890d3a19138478b20023023c0dce1c54352007c2863716780f049eb",
+     "digest": "sha256:38ddc2847fb6bcafd7401b4bf27c10014b5d60e2400bc188890c7cb7cdd7cd6c",
      "size": 16
     }
    ],
-   "manifest": "eyJzY2hlbWFWZXJzaW9uIjoyLCJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiY29uZmlnIjp7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuY29udGFpbmVyLmltYWdlLnYxK2pzb24iLCJzaXplIjo2NzIsImRpZ2VzdCI6InNoYTI1NjpiZjc4M2VhMzA0YTNmMDJiNWM3ZDJlY2U1MjE4MDBmNWUyMTgyZTY1ZWQ1YmI1MTE2ZjU3OGUxN2Q2ZTgyYmU0In0sImxheWVycyI6W3sibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmRvY2tlci5pbWFnZS5yb290ZnMuZGlmZi50YXIuZ3ppcCIsInNpemUiOjIwNDgsImRpZ2VzdCI6InNoYTI1NjoxMDBkNWE1NWY5MDMyZmFlYWQyOGI3NDI3ZmEzZTY1MGU0ZjAxNThmODZlYTg5ZDA2ZTE0ODlkZjAwY2I4YzZmIn0seyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmltYWdlLnJvb3Rmcy5kaWZmLnRhci5nemlwIiwic2l6ZSI6MjA0OCwiZGlnZXN0Ijoic2hhMjU2OjAwMGZiOTIwMDg5MGQzYTE5MTM4NDc4YjIwMDIzMDIzYzBkY2UxYzU0MzUyMDA3YzI4NjM3MTY3ODBmMDQ5ZWIifV19",
-   "config": "eyJhcmNoaXRlY3R1cmUiOiJhcm02NCIsImNvbmZpZyI6eyJFbnYiOlsiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iXSwiV29ya2luZ0RpciI6Ii8iLCJPbkJ1aWxkIjpudWxsfSwiY3JlYXRlZCI6IjIwMjMtMDktMjhUMTI6MjM6MzUuNDAwNjcyODg1WiIsImhpc3RvcnkiOlt7ImNyZWF0ZWQiOiIyMDIzLTA5LTI4VDEyOjIzOjM1LjM5Mzk4NjUxWiIsImNyZWF0ZWRfYnkiOiJBREQgZmlsZS0xLnR4dCAvc29tZWZpbGUtMS50eHQgIyBidWlsZGtpdCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIn0seyJjcmVhdGVkIjoiMjAyMy0wOS0yOFQxMjoyMzozNS40MDA2NzI4ODVaIiwiY3JlYXRlZF9ieSI6IkFERCBmaWxlLTIudHh0IC9zb21lZmlsZS0yLnR4dCAjIGJ1aWxka2l0IiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAifV0sIm9zIjoibGludXgiLCJyb290ZnMiOnsidHlwZSI6ImxheWVycyIsImRpZmZfaWRzIjpbInNoYTI1NjoxMDBkNWE1NWY5MDMyZmFlYWQyOGI3NDI3ZmEzZTY1MGU0ZjAxNThmODZlYTg5ZDA2ZTE0ODlkZjAwY2I4YzZmIiwic2hhMjU2OjAwMGZiOTIwMDg5MGQzYTE5MTM4NDc4YjIwMDIzMDIzYzBkY2UxYzU0MzUyMDA3YzI4NjM3MTY3ODBmMDQ5ZWIiXX19",
+   "manifest": "eyJzY2hlbWFWZXJzaW9uIjoyLCJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiY29uZmlnIjp7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuY29udGFpbmVyLmltYWdlLnYxK2pzb24iLCJzaXplIjo2NTgsImRpZ2VzdCI6InNoYTI1NjozNWE2NjU4ZTI0ZmFiOTJlYWU5ZWM2ZmMyNTJkZWM1ODk4NmM0YzAwNzg5MTc1OGQ0ZDM3YzdlNDNmYmJlMGM1In0sImxheWVycyI6W3sibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmRvY2tlci5pbWFnZS5yb290ZnMuZGlmZi50YXIuZ3ppcCIsInNpemUiOjIwNDgsImRpZ2VzdCI6InNoYTI1NjpkZmVmZTYxOGM4OWIwOGZlZjBmOWM3ZjFhMjY4MjUyMWRkZGJlMDNkNjY3OGY0YTlmYjliMDc4MzgxZDhlYjQ1In0seyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmltYWdlLnJvb3Rmcy5kaWZmLnRhci5nemlwIiwic2l6ZSI6MjA0OCwiZGlnZXN0Ijoic2hhMjU2OjM4ZGRjMjg0N2ZiNmJjYWZkNzQwMWI0YmYyN2MxMDAxNGI1ZDYwZTI0MDBiYzE4ODg5MGM3Y2I3Y2RkN2NkNmMifV19",
+   "config": "eyJhcmNoaXRlY3R1cmUiOiJhbWQ2NCIsImNvbmZpZyI6eyJFbnYiOlsiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iXSwiV29ya2luZ0RpciI6Ii8ifSwiY3JlYXRlZCI6IjIwMjQtMTEtMDRUMDQ6MTM6NDMuMzQwNTA3MTc1WiIsImhpc3RvcnkiOlt7ImNyZWF0ZWQiOiIyMDI0LTExLTA0VDA0OjEzOjQzLjMyMDg2OTk2OFoiLCJjcmVhdGVkX2J5IjoiQUREIGZpbGUtMS50eHQgL3NvbWVmaWxlLTEudHh0ICMgYnVpbGRraXQiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCJ9LHsiY3JlYXRlZCI6IjIwMjQtMTEtMDRUMDQ6MTM6NDMuMzQwNTA3MTc1WiIsImNyZWF0ZWRfYnkiOiJBREQgZmlsZS0yLnR4dCAvc29tZWZpbGUtMi50eHQgIyBidWlsZGtpdCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIn1dLCJvcyI6ImxpbnV4Iiwicm9vdGZzIjp7InR5cGUiOiJsYXllcnMiLCJkaWZmX2lkcyI6WyJzaGEyNTY6ZGZlZmU2MThjODliMDhmZWYwZjljN2YxYTI2ODI1MjFkZGRiZTAzZDY2NzhmNGE5ZmI5YjA3ODM4MWQ4ZWI0NSIsInNoYTI1NjozOGRkYzI4NDdmYjZiY2FmZDc0MDFiNGJmMjdjMTAwMTRiNWQ2MGUyNDAwYmMxODg4OTBjN2NiN2NkZDdjZDZjIl19fQ==",
    "repoDigests": [],
    "architecture": "",
    "os": ""
diff --git a/syft/format/text/test-fixtures/snapshot/TestTextImageEncoder.golden b/syft/format/text/test-fixtures/snapshot/TestTextImageEncoder.golden
index 0c49cecc0..87504c73e 100644
--- a/syft/format/text/test-fixtures/snapshot/TestTextImageEncoder.golden
+++ b/syft/format/text/test-fixtures/snapshot/TestTextImageEncoder.golden
@@ -1,11 +1,11 @@
 [Image]
  Layer:		 0
- Digest:	 sha256:100d5a55f9032faead28b7427fa3e650e4f0158f86ea89d06e1489df00cb8c6f
+ Digest:	 sha256:dfefe618c89b08fef0f9c7f1a2682521dddbe03d6678f4a9fb9b078381d8eb45
  Size:		 22
  MediaType:	 application/vnd.docker.image.rootfs.diff.tar.gzip
 
  Layer:		 1
- Digest:	 sha256:000fb9200890d3a19138478b20023023c0dce1c54352007c2863716780f049eb
+ Digest:	 sha256:38ddc2847fb6bcafd7401b4bf27c10014b5d60e2400bc188890c7cb7cdd7cd6c
  Size:		 16
  MediaType:	 application/vnd.docker.image.rootfs.diff.tar.gzip
 
diff --git a/test/cli/spdx_tooling_validation_test.go b/test/cli/spdx_tooling_validation_test.go
index cb3d789e7..257c84877 100644
--- a/test/cli/spdx_tooling_validation_test.go
+++ b/test/cli/spdx_tooling_validation_test.go
@@ -50,6 +50,18 @@ func TestSpdxValidationTooling(t *testing.T) {
 			images:   images,
 			env:      env,
 		},
+		{
+			name:     "spdx validation tooling tag value",
+			syftArgs: []string{"scan", "-o", "spdx@2.2"},
+			images:   images,
+			env:      env,
+		},
+		{
+			name:     "spdx validation tooling json",
+			syftArgs: []string{"scan", "-o", "spdx-json@2.2"},
+			images:   images,
+			env:      env,
+		},
 	}
 
 	for _, test := range tests {