Skip to content

Root package name uses Go temp build directory instead of go.mod module path #622

Open
#623
Open
Root package name uses Go temp build directory instead of go.mod module path#622
#623
Assignees
jeefy
Labels
kind/bugCategorizes issue or PR as related to a bug.sig/releaseCategorizes an issue or PR as relevant to SIG Release.
@mfahlandt

Description

@mfahlandt
mfahlandt
opened on Mar 12, 2026

What happened:

When generating SBOMs for Go projects scanned from a directory, bom uses the directory basename as the root package's name and SPDXID. When the directory is a temporary path (CI/CD), this produces meaningless names like tmp.b46BF6mTG5 instead of the actual Go module path from go.mod.

The root package in cncf/sbom → etcd-io/raft/3.6.0/raft.json (generated with bom-v0.7.1):

{
  "SPDXID": "SPDXRef-Package-tmp.b46BF6mTG5",
  "name": "tmp.b46BF6mTG5",
  "versionInfo": "",
  "downloadLocation": "NONE"
}

The temp name cascades through the entire SPDX document: the root package SPDXID, 150+ file references (SPDXRef-File-tmp.b46BF6mTG5-raft.go), all CONTAINS and DEPENDS_ON relationships. The root package also has no PURL and no version — while all 8 dependency packages in the same file are resolved correctly with full module paths, PURLs, and versions from go.mod.

What you expected to happen:

bom should use the module directive from go.mod (in this case module go.etcd.io/raft/v3) as the root package name — the same way it already does for dependency packages:

{
  "SPDXID": "SPDXRef-Package-go.etcd.io-raft-v3",
  "name": "go.etcd.io/raft/v3",
  "versionInfo": "v3.6.0",
  "externalRefs": [{"referenceType": "purl", "referenceLocator": "pkg:golang/go.etcd.io/raft/v3@v3.6.0"}]
}

All dependency packages in the same SBOM are already resolved correctly from go.mod:

github.com/cockroachdb/datadriven  → pkg:golang/...@v1.0.2  ✅
github.com/gogo/protobuf           → pkg:golang/...@v1.3.2  ✅
github.com/stretchr/testify        → pkg:golang/...@v1.10.0 ✅
(all 8 correct)

The --name CLI flag cannot fix this — it only sets the SPDX document name, not the root package name. There is no flag to override the root package name.

How to reproduce it (as minimally and precisely as possible):

# 1. Clone any Go project into a temp directory (simulates CI/CD)
TEMP_DIR=$(mktemp -d)
git clone --depth 1 --branch v3.6.0 https://github.com/etcd-io/raft.git "$TEMP_DIR"

# 2. Generate SBOM
bom generate --format json --output raft.json "$TEMP_DIR"

# 3. Observe the root package name is the temp dir basename
cat raft.json | jq '.packages[] | select(.SPDXID | startswith("SPDXRef-Package-tmp")) | {SPDXID, name, versionInfo}'

Expected: name: "go.etcd.io/raft/v3"
Actual: name: "tmp.<random>"

This is what the cncf/sbom generation script does:

local TEMP_DIR=$(mktemp -d)
git clone --depth 1 --branch "$TAG" "https://github.com/${OWNER}/${REPO}.git" "$TEMP_DIR"
bom generate --format json --output "$SBOM_FILE" "$TEMP_DIR"

Anything else we need to know?:

Environment:

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.sig/releaseCategorizes an issue or PR as relevant to SIG Release.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions