Merge pull request #258 from fvsamson/patch-1

Remove trailing space characters and fix one typo
interlynk-io · Jun 6, 2024 · 4563323 · 4563323
2 parents dbd1228 + 362bade
commit 4563323
Show file tree

Hide file tree

Showing 8 changed files with 43 additions and 43 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      packages: write    
+      packages: write
 
     steps:
       - uses: actions/checkout@v3
@@ -33,12 +33,12 @@ jobs:
         id: meta
         uses: docker/metadata-action@v4
         with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}        
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
       - name: Build and push
         uses: docker/build-push-action@v2
         with:
           context: .
           platforms: linux/amd64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}          
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -12,10 +12,10 @@ jobs:
       id-token: write
       contents: write
     steps:
-      - uses: actions/checkout@v3 
+      - uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      - run: git fetch --force --tags 
+      - run: git fetch --force --tags
       - uses: actions/setup-go@v3
         with:
           go-version: '>=1.20'
@@ -28,10 +28,10 @@ jobs:
       - name: Goreleaser
         uses: goreleaser/goreleaser-action@v4
         with:
-          install-only: true 
+          install-only: true
       - run: go version
-      - run: goreleaser -v 
+      - run: goreleaser -v
       - name: Releaser
-        run: make release 
+        run: make release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -14,7 +14,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3 
+        uses: actions/checkout@v3
         with:
             fetch-depth: 0
       - name: Download syft binary

diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -9,42 +9,42 @@ before:
     - /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi'
 
 gomod:
-  proxy: true 
+  proxy: true
 
 builds:
-  - id: binaries 
+  - id: binaries
     binary: sbomqs-{{ .Os }}-{{ .Arch }}
-    no_unique_dist_dir: true 
+    no_unique_dist_dir: true
     main: .
     flags:
-      - -trimpath 
+      - -trimpath
     mod_timestamp: '{{ .CommitTimestamp }}'
     goos:
       - linux
       - darwin
-      - windows 
+      - windows
     goarch:
       - amd64
       - arm64
     ldflags:
       - "{{ .Env.LDFLAGS }}"
-    env: 
+    env:
       - CGO_ENABLED=0
 
 archives:
 - format: binary
   name_template: "{{ .Binary }}"
-  allow_different_binary_count: true 
+  allow_different_binary_count: true
 
-snapshot: 
+snapshot:
   name_template: SNAPSHOT-{{ .ShortCommit }}
 
 release:
-  prerelease: allow 
-  draft: true 
+  prerelease: allow
+  draft: true
 
 sboms:
   -
     artifacts: binary
     documents:
-      - "${artifact}.spdx.sbom"  
+      - "${artifact}.spdx.sbom"
diff --git a/Compliance.md b/Compliance.md
@@ -1,12 +1,12 @@
 # Compliance Reports
 
 sbomqs now helps generating compliance reports for your SBOMs. We support industry standard requirements
-like NTIA minimum elements, BSI TR-03183-2 v1.1 and OWASP SCVS. 
+like NTIA minimum elements, BSI TR-03183-2 v1.1 and OWASP SCVS.
 
-The goal of compliance reports is to verify if the sbom file adheres to these standard, before they are distributed. 
+The goal of compliance reports is to verify if the sbom file adheres to these standard, before they are distributed.
 
 We have explained below how sbomqs approaches compliance reports for BSI TR-03183-2 v1.1. We are not going to explain
-this technical guideline here, but rather go into our intepretation of it. 
+this technical guideline here, but rather go into our intepretation of it.
 
 The [BSI TR-03183-2 v1.1](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2.pdf) specifies mandatory properties for an SBOM. Below is how we have derived all the values.
 

diff --git a/Features.md b/Features.md
@@ -18,8 +18,8 @@
 # SBOM Quality Checks
 
 This page describes each SBOM Quality check in detail, including scoring criteria,
-remediation steps, and an explanation of the potential impact associated with a low score. 
-The checks are continually changing, and we welcome community feedback. 
+remediation steps, and an explanation of the potential impact associated with a low score.
+The checks are continually changing, and we welcome community feedback.
 
 If you have ideas for additions or new detection techniques,
 please [contribute](https://github.com/interlynk-io/sbomqs#contributions)!
@@ -44,21 +44,21 @@ Therefore comparing Quality Scores across `scoring_engine_version` is not recomm
 
 ### Category: Structural
 ---
-#### Specification 
+#### Specification
 
 This check determines whether the SBOM is in one of the specifications (CycloneDX, SPDX, SWID) recommended by the [CISA reference document](https://ntia.gov/sites/default/files/publications/ntia_sbom_framing_2nd_edition_20211021_0.pdf) .
 
-CISA recommends limiting 
+CISA recommends limiting
 the document to three commonly used formats to facilitate widespread adoption.
 
 
 ***Remediation***
 - Re-create the document in CycloneDX, SPDX, or SWID.
 ---
-#### Specification Version 
+#### Specification Version
 
-This check determines whether the given SBOM is in the specification version that can support fields necessary for typical SBOM operations. 
-The current check tests for 
+This check determines whether the given SBOM is in the specification version that can support fields necessary for typical SBOM operations.
+The current check tests for:
 - CycloneDX Versions: 1.0, 1.1, 1.2, 1.3, 1.4
 - SPDX Versions: 2.1, 2.2, 2.3
 
@@ -67,7 +67,7 @@ While the earlier versions of specifications may exist, a document in an earlier
 ***Remediation***
 - Re-create the document in one of the versions listed above.
 ---
-#### Specification File Format 
+#### Specification File Format
 
 This check determines whether the given SBOM can be easily consumed by testing for the most common file formats associated with the specification.
 - CycloneDX: XML, JSON
@@ -79,7 +79,7 @@ Building and sharing SBOM in the most commonly used file format enables the use
 - Re-create the document in one of the file formats listed above.
 
 ---
-#### Specification Syntax 
+#### Specification Syntax
 
 This check determines whether the given SBOM meets all the requirements of the underlying specification and file format to be parsed.
 
@@ -92,7 +92,7 @@ A syntactic error in the SBOM will prevent it from being usable.
 ---
 ### Category: NTIA-Minimum-Elements
 ---
-#### Component Name 
+#### Component Name
 
 This check determines whether each component in the SBOM includes a name.
 
@@ -105,7 +105,7 @@ Identify the component with a missing name and check its product page to get its
 - SPDX field: [PackageName](https://spdx.github.io/spdx-spec/v2.3/package-information/#71-package-name-field)
 
 ---
-#### Supplier Name 
+#### Supplier Name
 
 This check determines whether each component in the SBOM includes a supplier name. Supplier name is not a well defined term
 especially in the context of Open Source projects and we will update the recommendation here once a consensus emerges.
@@ -116,7 +116,7 @@ Identify the component with a missing supplier name and check its product page t
 - CycloneDX field: [components:supplier](https://cyclonedx.org/docs/1.4/json/#components_items_supplier)
 - SPDX field: [PackageSupplierName](https://spdx.github.io/spdx-spec/v2.3/package-information/#75-package-supplier-field)
 ---
-#### Unique Identifier 
+#### Unique Identifier
 
 This check determines whether each component in the SBOM includes a unique identifier.
 
@@ -129,7 +129,7 @@ Identify the component with a missing/duplicate identifier.
 - SPDX field: [SPDXID](https://spdx.github.io/spdx-spec/v2.3/package-information/#72-package-spdx-identifier-field)
 
 ---
-#### Component Version 
+#### Component Version
 
 This check determines whether each component in the SBOM includes a version.
 
@@ -140,7 +140,7 @@ Identify the component with the missing version and populate the version field b
 - CycloneDX field: [components:version](https://cyclonedx.org/docs/1.4/json/#components_items_version)
 - SPDX field: [PackageVersion](https://spdx.github.io/spdx-spec/v2.3/package-information/#73-package-version-field)
 ---
-#### Author Name 
+#### Author Name
 
 This check determines whether the document includes the name of the author.
 
@@ -152,7 +152,7 @@ Check and populate the following fields with the name of the person, organizatio
 - SPDX field: [Creator](https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#68-creator-field)
 
 ---
-#### Timestamp 
+#### Timestamp
 
 This check determines if the document includes the timestamp of its creation.
 
@@ -164,7 +164,7 @@ The timestamp can be used to determine when the SBOM was created relative to the
 - SPDX field: [Created](https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#69-created-field)
 
 ---
-#### Relationship among Components 
+#### Relationship among Components
 
 This check determines if the document describes the relationship among included components.
 
@@ -301,12 +301,12 @@ Check the following fields to confirm none of the licenses belong to the [restri
 #### Primary Component Present
 
 An sbom is expected to describe a primary component. This check determines if the sbom has
-a primary component or not. 
+a primary component or not.
 
 ***Remediation steps***
 
 - CycloneDX: ensure the metadata section has the primary [component](https://cyclonedx.org/docs/1.5/json/#metadata_component) defined
-- SPDX: Should have a [DESCRIBES](https://spdx.github.io/spdx-spec/v2.3/relationships-between-SPDX-elements/) relationship which points to a package, or have a documentDescribes field present. 
+- SPDX: Should have a [DESCRIBES](https://spdx.github.io/spdx-spec/v2.3/relationships-between-SPDX-elements/) relationship which points to a package, or have a documentDescribes field present.
 
 
 ---

diff --git a/Makefile b/Makefile
@@ -51,7 +51,7 @@ dep:
 	go mod vendor
 	go mod tidy
 
-.PHONY: generate 
+.PHONY: generate
 generate:
 	go generate ./...
 

diff --git a/README.md b/README.md
@@ -176,7 +176,7 @@ For the list of features currently supported, visit [features.md](./Features.md)
 
 `sbomqs` provides its scoring output in basic and detailed forms.
 
-The basic output is great for a quick check of the quality of an SBOMs. Once you get a good sense of how the tool works, this can also becom the primary way of consuming data from this tool.
+The basic output is great for a quick check of the quality of an SBOMs. Once you get a good sense of how the tool works, this can also become the primary way of consuming data from this tool.
 
 ```sh
 6.0     samples/blogifier-dotnet-SBOM.json