Remove top level 'sbom' embedding

[alper]

The Github spdx JSON file I got looked like this:

The nesting trips up the parser entirely but is easily fixed.

[armintaenzertng]

Hi @alper, thanks for your contribution. Unfortunately, you forgot to sign-off your commit. Please remove your current commit and replace it with signed-off commit as described in point 5 of the contribution guideline.

[alper]

OK. That's done. Do I need to create a test case for this?

[armintaenzertng]

Tests are always welcome! :)

Also note that the pipeline is currently broken, will be fixed in #814

[armintaenzertng]

In addition to a test it might be good to not just silently parse non-conformant SBOMs such as these but alert the user that this was a faulty SBOM and that it has been parsed by discarding the top-level key.

[maxhbr]

I think what you are parsing is not the GitHub SPDX file, it is a response that contains the SPDX File under the key "sbom". It is not the responsibility of our tool to treat these responses like SPDX files. And it would start accepting non-valid files as SPDX.

Can you link to an example for us to observe the behaviour on github?

[maxhbr]

I just navigated to https://github.com/aboutcode-org/scancode-toolkit/network/dependencies and used the Export SBOM button and got a response containing the valid SPDX file without the surrounding "sbom" key. Are you using an API?

Thank you for your conrtibution, but I would close this for now. Please reopen if this is still valid.

[alper]

Hi! Thanks for checking this.

You're right, if I write the sbom key to a file, I think it works:

 fs.writeFileSync( 'sbom/choco-backend.json', JSON.stringify(response.data.sbom, null, 2) );