Hello,
we recently starting Reporting and SCA with ProGet for our projects. I face a very simular issue with a docker image artifact.
I create a CycloneDX formatted SBOM XML file with syft (https://github.com/anchore/syft) and imported this file to ProGet. On the Overview tab ProGet then reports "372 Unresolved Issues" and on the Issues tab is says Type "Missing Package" and shows an "Unresolved" warning badge.
In the SBOM XML file, there are license identifiers set according to the SPDX list (https://spdx.org/licenses/), but no title or url tags like mentioned in ProGet Docs (https://docs.inedo.com/docs/proget-sca-licenses). These title and url tags are optional according to the XML Specs https://github.com/CycloneDX/specification/blob/1.4/schema/bom-1.4.xsd
We do not use ProGet as a proxy to "pull through" 3rd-party libs or images. Is this a problem?
Or does the missing title and url tags in the SBOM XML file screw something up?
Kind regards,
Tobias