Use a timezone aware datetime object and correct "creators" information as otherwise https://tools.spdx.org/app/validate/ will not recognize the SPDX-SBOM as valid.
Signed-off-by: Ralf Glaser <[email protected]> --- scripts/report/spdx_sbom.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/report/spdx_sbom.py b/scripts/report/spdx_sbom.py index 124e75614..1e3a36665 100644 --- a/scripts/report/spdx_sbom.py +++ b/scripts/report/spdx_sbom.py @@ -6,7 +6,7 @@ # see the README file. # -from datetime import datetime +from datetime import datetime, timezone from os import path from shutil import copy import hashlib @@ -142,8 +142,8 @@ class SpdxSbomGenerator(SbomGenerator): def build(self, data): creationInfo = spdx.SPDXCreationInfo() - creationInfo.created = datetime.now().isoformat() - creationInfo.creators = [data['bsp']['vendor']] + creationInfo.created = datetime.now(timezone.utc).replace(microsecond=0).isoformat() + creationInfo.creators = [ f"Organization: {data['bsp']['vendor']}", f"Tool: ptxdist-{data['ptxdist']['version']}" ] document = spdx.SPDXDocument() document.creationInfo = creationInfo document.name = data['bsp']['project'] -- 2.49.0
