Skip to content

fix: empty tool version annotation blocks SBOM uploads #2880

New issue
New issue
Open
#2881
Open
fix: empty tool version annotation blocks SBOM uploads#2880
#2881
Assignees
jiparis
Labels
bugSomething isn't workingcomponent/backend
@jiparis

Description

@jiparis
jiparis
opened on Mar 18, 2026

Description

SBOM uploads fail with the error:

annotations ["chainloop.material.tool.version"] required for material "sbom"

This happens when an SBOM contains a tool entry with an empty version string. The legacy chainloop.material.tool.version annotation is set to "", and the annotation validation in the crafter rejects any annotation with an empty value.

Root Cause

Several material crafters (CycloneDX, SPDX, SARIF, CSAF) unconditionally set the chainloop.material.tool.version legacy annotation even when the tool's version is an empty string. The validation loop in crafter.go then treats the empty value as a missing required annotation and rejects the material.

Expected Behavior

If an SBOM tool entry has no version, the chainloop.material.tool.version annotation should simply not be set, rather than being set to an empty string and then rejected.

Fix

Guard the legacy annotation setting (chainloop.material.tool.name and chainloop.material.tool.version) with non-empty checks in all material crafters, matching the pattern already used in the GitLab security report crafter.

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingcomponent/backend

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions