oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2026-02-12 10:36:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Use SBOM descriptor version (#1011)

Browse Source 
* Use SBOM descriptor version

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* Update tests

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* CycloneDX extract tools metadata in decoding stage

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* add descriptor to spdx tag-value test

Signed-off-by: Jonas Xavier <jonasx@anchore.com>

* remove comment

Signed-off-by: Jonas Xavier <jonasx@anchore.com>
This commit is contained in:
Jonas Xavier 2022-05-25 14:40:08 -07:00 committed by GitHub
parent c990f425a6
commit 7cb8e1fc14
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
19 changed files with 88 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
internal/formats/common/cyclonedxhelpers/decoder.go
View File

@ -45,17 +45,17 @@ func GetDecoder(format cyclonedx.BOMFileFormat) sbom.Decoder {
} }
func toSyftModel(bom *cyclonedx.BOM) (*sbom.SBOM, error) { func toSyftModel(bom *cyclonedx.BOM) (*sbom.SBOM, error) {
meta := source.Metadata{} if bom == nil {
if bom.Metadata != nil && bom.Metadata.Component != nil { return nil, fmt.Errorf("no content defined in CycloneDX BOM")
meta = decodeMetadata(bom.Metadata.Component)
} }
s := &sbom.SBOM{ s := &sbom.SBOM{
Artifacts: sbom.Artifacts{ Artifacts: sbom.Artifacts{
PackageCatalog: pkg.NewCatalog(), PackageCatalog: pkg.NewCatalog(),
LinuxDistribution: linuxReleaseFromComponents(*bom.Components), LinuxDistribution: linuxReleaseFromComponents(*bom.Components),
}, },
Source: meta, Source: extractComponents(bom.Metadata),
//Descriptor: sbom.Descriptor{}, Descriptor: extractDescriptor(bom.Metadata),
} }
idMap := make(map[string]interface{}) idMap := make(map[string]interface{})
@ -205,27 +205,45 @@ func collectRelationships(bom *cyclonedx.BOM, s *sbom.SBOM, idMap map[string]int
} }
} }
func decodeMetadata(component *cyclonedx.Component) source.Metadata { func extractComponents(meta *cyclonedx.Metadata) source.Metadata {
switch component.Type { if meta == nil || meta.Component == nil {
return source.Metadata{}
}
c := meta.Component
image := source.ImageMetadata{
UserInput: c.Name,
ID: c.BOMRef,
ManifestDigest: c.Version,
}
switch c.Type {
case cyclonedx.ComponentTypeContainer: case cyclonedx.ComponentTypeContainer:
return source.Metadata{ return source.Metadata{
Scheme: source.ImageScheme, Scheme: source.ImageScheme,
ImageMetadata: source.ImageMetadata{ ImageMetadata: image,
UserInput: component.Name,
ID: component.BOMRef,
ManifestDigest: component.Version,
},
} }
case cyclonedx.ComponentTypeFile: case cyclonedx.ComponentTypeFile:
return source.Metadata{ return source.Metadata{
Scheme: source.FileScheme, // or source.DirectoryScheme Scheme: source.FileScheme, // or source.DirectoryScheme
Path: component.Name, Path: c.Name,
ImageMetadata: source.ImageMetadata{ ImageMetadata: image,
UserInput: component.Name,
ID: component.BOMRef,
ManifestDigest: component.Version,
},
} }
} }
return source.Metadata{} return source.Metadata{}
} }
// if there is more than one tool in meta.Tools' list the last item will be used
// as descriptor. If there is a way to know which tool to use here please fix it.
func extractDescriptor(meta *cyclonedx.Metadata) (desc sbom.Descriptor) {
if meta == nil || meta.Tools == nil {
return
}
for _, t := range *meta.Tools {
desc.Name = t.Name
desc.Version = t.Version
}
return
}

4
internal/formats/common/cyclonedxhelpers/format.go
View File

@ -8,7 +8,6 @@ import (
"github.com/anchore/syft/internal" "github.com/anchore/syft/internal"
"github.com/anchore/syft/internal/log" "github.com/anchore/syft/internal/log"
"github.com/anchore/syft/internal/version"
"github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/artifact"
"github.com/anchore/syft/syft/linux" "github.com/anchore/syft/syft/linux"
"github.com/anchore/syft/syft/sbom" "github.com/anchore/syft/syft/sbom"
@ -17,13 +16,12 @@ import (
func ToFormatModel(s sbom.SBOM) *cyclonedx.BOM { func ToFormatModel(s sbom.SBOM) *cyclonedx.BOM {
cdxBOM := cyclonedx.NewBOM() cdxBOM := cyclonedx.NewBOM()
versionInfo := version.FromBuild()
// NOTE(jonasagx): cycloneDX requires URN uuids (URN returns the RFC 2141 URN form of uuid): // NOTE(jonasagx): cycloneDX requires URN uuids (URN returns the RFC 2141 URN form of uuid):
// https://github.com/CycloneDX/specification/blob/master/schema/bom-1.3-strict.schema.json#L36 // https://github.com/CycloneDX/specification/blob/master/schema/bom-1.3-strict.schema.json#L36
// "pattern": "^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" // "pattern": "^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"
cdxBOM.SerialNumber = uuid.New().URN() cdxBOM.SerialNumber = uuid.New().URN()
cdxBOM.Metadata = toBomDescriptor(internal.ApplicationName, versionInfo.Version, s.Source) cdxBOM.Metadata = toBomDescriptor(internal.ApplicationName, s.Descriptor.Version, s.Source)
packages := s.Artifacts.PackageCatalog.Sorted() packages := s.Artifacts.PackageCatalog.Sorted()
components := make([]cyclonedx.Component, len(packages)) components := make([]cyclonedx.Component, len(packages))

6
internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden
View File

@ -1,15 +1,15 @@
{ {
"bomFormat": "CycloneDX", "bomFormat": "CycloneDX",
"specVersion": "1.4", "specVersion": "1.4",
"serialNumber": "urn:uuid:dec3f6b4-8458-48bb-b60d-dfd312f6ec4e", "serialNumber": "urn:uuid:3ea3363f-3945-4859-9ba1-9a395983d248",
"version": 1, "version": 1,
"metadata": { "metadata": {
"timestamp": "2022-04-01T11:48:04-04:00", "timestamp": "2022-05-23T12:05:00-07:00",
"tools": [ "tools": [
{ {
"vendor": "anchore", "vendor": "anchore",
"name": "syft", "name": "syft",
"version": "[not provided]" "version": "v0.42.0-bogus"
} }
], ],
"component": { "component": {

12
internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden
View File

@ -1,19 +1,19 @@
{ {
"bomFormat": "CycloneDX", "bomFormat": "CycloneDX",
"specVersion": "1.4", "specVersion": "1.4",
"serialNumber": "urn:uuid:054d973e-fe99-4762-92e4-eaf01997ae41", "serialNumber": "urn:uuid:c825402b-bbfa-4ad5-81b1-6a8332a6a8b6",
"version": 1, "version": 1,
"metadata": { "metadata": {
"timestamp": "2022-04-01T11:48:04-04:00", "timestamp": "2022-05-23T12:05:01-07:00",
"tools": [ "tools": [
{ {
"vendor": "anchore", "vendor": "anchore",
"name": "syft", "name": "syft",
"version": "[not provided]" "version": "v0.42.0-bogus"
} }
], ],
"component": { "component": {
"bom-ref": "e777314b02b362e4", "bom-ref": "e779c1ed804ba529",
"type": "container", "type": "container",
"name": "user-image-input", "name": "user-image-input",
"version": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368" "version": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368"
@ -53,7 +53,7 @@
}, },
{ {
"name": "syft:location:0:layerID", "name": "syft:location:0:layerID",
"value": "sha256:fb6beecb75b39f4bb813dbf177e501edd5ddb3e69bb45cedeb78c676ee1b7a59" "value": "sha256:cd8f3884f1211d65c19ce5bbc5174bcd2ce8ba96b63e5b3693969a53279c4405"
}, },
{ {
"name": "syft:location:0:path", "name": "syft:location:0:path",
@ -83,7 +83,7 @@
}, },
{ {
"name": "syft:location:0:layerID", "name": "syft:location:0:layerID",
"value": "sha256:319b588ce64253a87b533c8ed01cf0025e0eac98e7b516e12532957e1244fdec" "value": "sha256:42d2ea51c688e6dc7be81a305acbe006d27a6ef0c26ae3888fd0d4ce44f69265"
}, },
{ {
"name": "syft:location:0:path", "name": "syft:location:0:path",

BIN
internal/formats/cyclonedxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
View File

Binary file not shown.

6
internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden
View File

@ -1,12 +1,12 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:554fd820-210b-40c8-8c0b-75690274e21c" version="1"> <bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:a259c072-aaaf-4a3f-a707-49f691b1e9d9" version="1">
<metadata> <metadata>
<timestamp>2022-04-01T11:57:46-04:00</timestamp> <timestamp>2022-05-23T12:02:41-07:00</timestamp>
<tools> <tools>
<tool> <tool>
<vendor>anchore</vendor> <vendor>anchore</vendor>
<name>syft</name> <name>syft</name>
<version>[not provided]</version> <version>v0.42.0-bogus</version>
</tool> </tool>
</tools> </tools>
<component bom-ref="163686ac6e30c752" type="file"> <component bom-ref="163686ac6e30c752" type="file">

12
internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden
View File

@ -1,15 +1,15 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:1535f940-172f-4d97-8280-d5a5764d1557" version="1"> <bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:155802bd-09e5-4b95-9485-826b94447495" version="1">
<metadata> <metadata>
<timestamp>2022-04-01T11:57:46-04:00</timestamp> <timestamp>2022-05-23T12:02:42-07:00</timestamp>
<tools> <tools>
<tool> <tool>
<vendor>anchore</vendor> <vendor>anchore</vendor>
<name>syft</name> <name>syft</name>
<version>[not provided]</version> <version>v0.42.0-bogus</version>
</tool> </tool>
</tools> </tools>
<component bom-ref="e777314b02b362e4" type="container"> <component bom-ref="e779c1ed804ba529" type="container">
<name>user-image-input</name> <name>user-image-input</name>
<version>sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368</version> <version>sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368</version>
</component> </component>
@ -30,7 +30,7 @@
<property name="syft:package:language">python</property> <property name="syft:package:language">python</property>
<property name="syft:package:metadataType">PythonPackageMetadata</property> <property name="syft:package:metadataType">PythonPackageMetadata</property>
<property name="syft:package:type">python</property> <property name="syft:package:type">python</property>
<property name="syft:location:0:layerID">sha256:fb6beecb75b39f4bb813dbf177e501edd5ddb3e69bb45cedeb78c676ee1b7a59</property> <property name="syft:location:0:layerID">sha256:cd8f3884f1211d65c19ce5bbc5174bcd2ce8ba96b63e5b3693969a53279c4405</property>
<property name="syft:location:0:path">/somefile-1.txt</property> <property name="syft:location:0:path">/somefile-1.txt</property>
</properties> </properties>
</component> </component>
@ -43,7 +43,7 @@
<property name="syft:package:foundBy">the-cataloger-2</property> <property name="syft:package:foundBy">the-cataloger-2</property>
<property name="syft:package:metadataType">DpkgMetadata</property> <property name="syft:package:metadataType">DpkgMetadata</property>
<property name="syft:package:type">deb</property> <property name="syft:package:type">deb</property>
<property name="syft:location:0:layerID">sha256:319b588ce64253a87b533c8ed01cf0025e0eac98e7b516e12532957e1244fdec</property> <property name="syft:location:0:layerID">sha256:42d2ea51c688e6dc7be81a305acbe006d27a6ef0c26ae3888fd0d4ce44f69265</property>
<property name="syft:location:0:path">/somefile-2.txt</property> <property name="syft:location:0:path">/somefile-2.txt</property>
<property name="syft:metadata:installedSize">0</property> <property name="syft:metadata:installedSize">0</property>
</properties> </properties>

BIN
internal/formats/cyclonedxxml/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
View File

Binary file not shown.

5
internal/formats/github/encoder.go
View File

@ -10,7 +10,6 @@ import (
"github.com/anchore/packageurl-go" "github.com/anchore/packageurl-go"
"github.com/anchore/syft/internal" "github.com/anchore/syft/internal"
"github.com/anchore/syft/internal/log" "github.com/anchore/syft/internal/log"
"github.com/anchore/syft/internal/version"
"github.com/anchore/syft/syft/pkg" "github.com/anchore/syft/syft/pkg"
"github.com/anchore/syft/syft/sbom" "github.com/anchore/syft/syft/sbom"
"github.com/anchore/syft/syft/source" "github.com/anchore/syft/syft/source"
@ -19,8 +18,8 @@ import (
// toGithubModel converts the provided SBOM to a GitHub dependency model // toGithubModel converts the provided SBOM to a GitHub dependency model
func toGithubModel(s *sbom.SBOM) DependencySnapshot { func toGithubModel(s *sbom.SBOM) DependencySnapshot {
scanTime := time.Now().Format(time.RFC3339) // TODO is there a record of this somewhere? scanTime := time.Now().Format(time.RFC3339) // TODO is there a record of this somewhere?
v := version.FromBuild().Version v := s.Descriptor.Version
if v == "[not provided]" { if v == "[not provided]" || v == "" {
v = "0.0.0-dev" v = "0.0.0-dev"
} }
return DependencySnapshot{ return DependencySnapshot{

8
internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden
View File

@ -3,15 +3,15 @@
"name": "/some/path", "name": "/some/path",
"spdxVersion": "SPDX-2.2", "spdxVersion": "SPDX-2.2",
"creationInfo": { "creationInfo": {
"created": "2022-04-01T15:48:39.459232Z", "created": "2022-05-23T19:10:22.25645Z",
"creators": [ "creators": [
"Organization: Anchore, Inc", "Organization: Anchore, Inc",
"Tool: syft-[not provided]" "Tool: syft-v0.42.0-bogus"
], ],
"licenseListVersion": "3.16" "licenseListVersion": "3.17"
}, },
"dataLicense": "CC0-1.0", "dataLicense": "CC0-1.0",
"documentNamespace": "https://anchore.com/syft/dir/some/path-8d335d81-29c9-4236-84f1-2292ea92aaf5", "documentNamespace": "https://anchore.com/syft/dir/some/path-81dbcbfa-251d-4ad5-9b01-be91afb16469",
"packages": [ "packages": [
{ {
"SPDXID": "SPDXRef-b85dbb4e6ece5082", "SPDXID": "SPDXRef-b85dbb4e6ece5082",

8
internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
View File

@ -3,15 +3,15 @@
"name": "user-image-input", "name": "user-image-input",
"spdxVersion": "SPDX-2.2", "spdxVersion": "SPDX-2.2",
"creationInfo": { "creationInfo": {
"created": "2022-04-01T15:48:39.465643Z", "created": "2022-05-23T19:10:22.412847Z",
"creators": [ "creators": [
"Organization: Anchore, Inc", "Organization: Anchore, Inc",
"Tool: syft-[not provided]" "Tool: syft-v0.42.0-bogus"
], ],
"licenseListVersion": "3.16" "licenseListVersion": "3.17"
}, },
"dataLicense": "CC0-1.0", "dataLicense": "CC0-1.0",
"documentNamespace": "https://anchore.com/syft/image/user-image-input-e64e0be8-5031-4eec-842d-e59fb6deb518", "documentNamespace": "https://anchore.com/syft/image/user-image-input-c9945597-78ce-4e9b-89d2-68b8e4e4ccb9",
"packages": [ "packages": [
{ {
"SPDXID": "SPDXRef-2a46171f91c8d4bc", "SPDXID": "SPDXRef-2a46171f91c8d4bc",

BIN
internal/formats/spdx22json/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
View File

Binary file not shown.

3
internal/formats/spdx22json/to_format_model.go
View File

@ -11,7 +11,6 @@ import (
"github.com/anchore/syft/internal/formats/spdx22json/model" "github.com/anchore/syft/internal/formats/spdx22json/model"
"github.com/anchore/syft/internal/log" "github.com/anchore/syft/internal/log"
"github.com/anchore/syft/internal/spdxlicense" "github.com/anchore/syft/internal/spdxlicense"
"github.com/anchore/syft/internal/version"
"github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/artifact"
"github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/file"
"github.com/anchore/syft/syft/pkg" "github.com/anchore/syft/syft/pkg"
@ -34,7 +33,7 @@ func toFormatModel(s sbom.SBOM) *model.Document {
Creators: []string{ Creators: []string{
// note: key-value format derived from the JSON example document examples: https://github.com/spdx/spdx-spec/blob/v2.2/examples/SPDXJSONExample-v2.2.spdx.json // note: key-value format derived from the JSON example document examples: https://github.com/spdx/spdx-spec/blob/v2.2/examples/SPDXJSONExample-v2.2.spdx.json
"Organization: Anchore, Inc", "Organization: Anchore, Inc",
"Tool: " + internal.ApplicationName + "-" + version.FromBuild().Version, "Tool: " + internal.ApplicationName + "-" + s.Descriptor.Version,
}, },
LicenseListVersion: spdxlicense.Version, LicenseListVersion: spdxlicense.Version,
}, },

8
internal/formats/spdx22tagvalue/encoder_test.go
View File

@ -53,7 +53,13 @@ func TestSPDXJSONSPDXIDs(t *testing.T) {
Source: source.Metadata{ Source: source.Metadata{
Scheme: source.DirectoryScheme, Scheme: source.DirectoryScheme,
}, },
Descriptor: sbom.Descriptor{}, Descriptor: sbom.Descriptor{
Name: "syft",
Version: "v0.42.0-bogus",
Configuration: map[string]string{
"config-key": "config-value",
},
},
}, },
true, true,
spdxTagValueRedactor, spdxTagValueRedactor,

8
internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden
View File

@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0 DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT SPDXID: SPDXRef-DOCUMENT
DocumentName: . DocumentName: .
DocumentNamespace: https://anchore.com/syft/dir/8fbb3714-785d-4e3e-95cf-44a258bc65b0 DocumentNamespace: https://anchore.com/syft/dir/422d92b9-57e8-44ee-8039-f75c1d19be87
LicenseListVersion: 3.16 LicenseListVersion: 3.17
Creator: Organization: Anchore, Inc Creator: Organization: Anchore, Inc
Creator: Tool: syft-[not provided] Creator: Tool: syft-v0.42.0-bogus
Created: 2022-05-02T15:27:05Z Created: 2022-05-24T22:52:02Z
##### Package: @at-sign ##### Package: @at-sign

8
internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
View File

@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0 DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT SPDXID: SPDXRef-DOCUMENT
DocumentName: /some/path DocumentName: /some/path
DocumentNamespace: https://anchore.com/syft/dir/some/path-d227b0f2-4ee8-4e10-ac43-019db86d16ff DocumentNamespace: https://anchore.com/syft/dir/some/path-c6b20d03-1478-4513-9feb-1ec427d4b547
LicenseListVersion: 3.16 LicenseListVersion: 3.17
Creator: Organization: Anchore, Inc Creator: Organization: Anchore, Inc
Creator: Tool: syft-[not provided] Creator: Tool: syft-v0.42.0-bogus
Created: 2022-04-01T15:48:44Z Created: 2022-05-24T22:51:02Z
##### Package: package-2 ##### Package: package-2

8
internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
View File

@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0 DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT SPDXID: SPDXRef-DOCUMENT
DocumentName: user-image-input DocumentName: user-image-input
DocumentNamespace: https://anchore.com/syft/image/user-image-input-49f98c61-3418-4427-9e00-8b1c735e9799 DocumentNamespace: https://anchore.com/syft/image/user-image-input-12a877bc-fe9b-40ef-aa9c-4d34f108d0d6
LicenseListVersion: 3.16 LicenseListVersion: 3.17
Creator: Organization: Anchore, Inc Creator: Organization: Anchore, Inc
Creator: Tool: syft-[not provided] Creator: Tool: syft-v0.42.0-bogus
Created: 2022-04-01T15:48:44Z Created: 2022-05-24T22:51:02Z
##### Package: package-2 ##### Package: package-2

BIN
internal/formats/spdx22tagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
View File

Binary file not shown.

3
internal/formats/spdx22tagvalue/to_format_model.go
View File

@ -9,7 +9,6 @@ import (
"github.com/anchore/syft/internal" "github.com/anchore/syft/internal"
"github.com/anchore/syft/internal/formats/common/spdxhelpers" "github.com/anchore/syft/internal/formats/common/spdxhelpers"
"github.com/anchore/syft/internal/spdxlicense" "github.com/anchore/syft/internal/spdxlicense"
"github.com/anchore/syft/internal/version"
"github.com/anchore/syft/syft/pkg" "github.com/anchore/syft/syft/pkg"
"github.com/spdx/tools-golang/spdx" "github.com/spdx/tools-golang/spdx"
) )
@ -69,7 +68,7 @@ func toFormatModel(s sbom.SBOM) *spdx.Document2_2 {
// Cardinality: mandatory, one or many // Cardinality: mandatory, one or many
CreatorPersons: nil, CreatorPersons: nil,
CreatorOrganizations: []string{"Anchore, Inc"}, CreatorOrganizations: []string{"Anchore, Inc"},
CreatorTools: []string{internal.ApplicationName + "-" + version.FromBuild().Version}, CreatorTools: []string{internal.ApplicationName + "-" + s.Descriptor.Version},
// 2.9: Created: data format YYYY-MM-DDThh:mm:ssZ // 2.9: Created: data format YYYY-MM-DDThh:mm:ssZ
// Cardinality: mandatory, one // Cardinality: mandatory, one