Skip to content

404 https://formulae.brew.sh/spdx/... URLs in SBOM's documentNamespace field #22741

Closed as not planned
Bug
Closed as not planned
404 https://formulae.brew.sh/spdx/... URLs in SBOM's documentNamespace field#22741
Bug
@kdeldycke

Description

@kdeldycke
kdeldycke
opened on Jun 15, 2026

brew doctor output

$ brew doctor
Please note that these warnings are just used to help the Homebrew maintainers
with debugging if you file an issue. If everything you use Homebrew for is
working fine: please don't worry or file an issue; just ignore this. Thanks!

Warning: Some installed casks are deprecated or disabled.
You should find replacements for the following casks:
  dupeguru
  logitech-options
  usbimager

Verification

  • I ran brew update twice and am still able to reproduce my issue.
  • My "brew doctor output" above says Your system is ready to brew or a definitely unrelated Tier message.
  • This issue's title and/or description do not reference a single formula e.g. brew install wget. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.

brew config output

$ brew config  
HOMEBREW_VERSION: 6.0.1-80-gcf4bbe3
ORIGIN: https://github.com/Homebrew/brew
HEAD: cf4bbe33370fab55dca28c7f6c0f84380f54c762
Last commit: 14 hours ago
Branch: main
Core tap HEAD: f20b1dfbafbfdb974db1b27b7c75bbc3cbf15d13
Core tap last commit: 50 minutes ago
Core cask tap HEAD: ce28056e925914026dfb16c17cde172c39e7e8e0
Core cask tap last commit: 2 hours ago
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_DOWNLOAD_CONCURRENCY: 20
HOMEBREW_EDITOR: nvim
HOMEBREW_FORBID_PACKAGES_FROM_PATHS: set
HOMEBREW_MAKE_JOBS: 10
HOMEBREW_NO_ANALYTICS: set
HOMEBREW_REQUIRE_TAP_TRUST: set
Homebrew Ruby: 4.0.5 => /opt/homebrew/Library/Homebrew/vendor/portable-ruby/4.0.5_1/bin/ruby
CPU: deca-core 64-bit arm_firestorm_icestorm
Clang: 21.0.0 build 2100
Git: 2.54.0 => /opt/homebrew/bin/git
Curl: 8.7.1 => /usr/bin/curl
macOS: 26.5.1-arm64
CLT: 26.5.0.0.1777544298
Xcode: N/A
Rosetta 2: false

What were you trying to do (and why)?

I was reading an SBOM at /opt/homebrew/Cellar/<name>/<version>/sbom.spdx.json to build an inventory of packages installed by brew on my machine. In it, there is a "documentNamespace": "https://formulae.brew.sh/spdx/<name>-<version>.json" field.

What happened (include all command output)?

The URL in "documentNamespace": "https://formulae.brew.sh/spdx/<name>-<version>.json" is not resolving and returns 404.

What did you expect to happen?

SPDX 2.3 section 6.5.2 is explicit that the namespace URI does not have to be accessible:

The URI does not have to be accessible. It is only intended to provide a unique ID.

The current behavior strictly respect the spec, as its does not enforce the URI to exist. But this is not really user-friendly.

What I propose is to either:

  • have the <name>-<version>.json actually published at the URL it pretends to be
  • have documentNamespace uses an URI scheme that does not invite a fetch attempt because of the https:// prefix. Something like:
    • An urn: form like urn:homebrew:sbom:sqlite:3.53.2
    • A pURL scheme like pkg:brew/sqlite@3.53.2

Step-by-step reproduction instructions (by running brew commands)

$ brew install sqlite

$ jq -r .documentNamespace /opt/homebrew/Cellar/sqlite/*/sbom.spdx.json
https://formulae.brew.sh/spdx/sqlite-3.53.2.json

$ curl -sI "$(jq -r .documentNamespace /opt/homebrew/Cellar/sqlite/*/sbom.spdx.json)" | head -1
HTTP/2 404

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    Bug

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions