Root package name uses Go temp build directory instead of go.mod module path #622
Description
What happened:
When generating SBOMs for Go projects scanned from a directory, bom uses the directory basename as the root package's name and SPDXID. When the directory is a temporary path (CI/CD), this produces meaningless names like tmp.b46BF6mTG5 instead of the actual Go module path from go.mod.
The root package in cncf/sbom → etcd-io/raft/3.6.0/raft.json (generated with bom-v0.7.1):
{
"SPDXID": "SPDXRef-Package-tmp.b46BF6mTG5",
"name": "tmp.b46BF6mTG5",
"versionInfo": "",
"downloadLocation": "NONE"
}The temp name cascades through the entire SPDX document: the root package SPDXID, 150+ file references (SPDXRef-File-tmp.b46BF6mTG5-raft.go), all CONTAINS and DEPENDS_ON relationships. The root package also has no PURL and no version — while all 8 dependency packages in the same file are resolved correctly with full module paths, PURLs, and versions from go.mod.
What you expected to happen:
bom should use the module directive from go.mod (in this case module go.etcd.io/raft/v3) as the root package name — the same way it already does for dependency packages:
{
"SPDXID": "SPDXRef-Package-go.etcd.io-raft-v3",
"name": "go.etcd.io/raft/v3",
"versionInfo": "v3.6.0",
"externalRefs": [{"referenceType": "purl", "referenceLocator": "pkg:golang/go.etcd.io/raft/v3@v3.6.0"}]
}All dependency packages in the same SBOM are already resolved correctly from go.mod:
github.com/cockroachdb/datadriven → pkg:golang/...@v1.0.2 ✅
github.com/gogo/protobuf → pkg:golang/...@v1.3.2 ✅
github.com/stretchr/testify → pkg:golang/...@v1.10.0 ✅
(all 8 correct)
The --name CLI flag cannot fix this — it only sets the SPDX document name, not the root package name. There is no flag to override the root package name.
How to reproduce it (as minimally and precisely as possible):
# 1. Clone any Go project into a temp directory (simulates CI/CD)
TEMP_DIR=$(mktemp -d)
git clone --depth 1 --branch v3.6.0 https://github.com/etcd-io/raft.git "$TEMP_DIR"
# 2. Generate SBOM
bom generate --format json --output raft.json "$TEMP_DIR"
# 3. Observe the root package name is the temp dir basename
cat raft.json | jq '.packages[] | select(.SPDXID | startswith("SPDXRef-Package-tmp")) | {SPDXID, name, versionInfo}'Expected: name: "go.etcd.io/raft/v3"
Actual: name: "tmp.<random>"
This is what the cncf/sbom generation script does:
local TEMP_DIR=$(mktemp -d)
git clone --depth 1 --branch "$TAG" "https://github.com/${OWNER}/${REPO}.git" "$TEMP_DIR"
bom generate --format json --output "$SBOM_FILE" "$TEMP_DIR"Anything else we need to know?:
Environment:
- Cloud provider or hardware configuration: GitHub Actions / Linux x86_64
- OS (e.g:
cat /etc/os-release): Ubuntu - Kernel (e.g.
uname -a): N/A (reproducible on any OS) - Others:
- bom version: v0.7.1
- SPDX version: 2.3
- Automation:
cncf-automation-sbom-generator - Affected file:
sbom/subprojects/etcd-io/raft/3.6.0/raft.json