Skip to content

Commit

Permalink
Merge branch 'main' into feat_ntia_compliance_report
Browse files Browse the repository at this point in the history
Signed-off-by: Vivek Kumar Sahu <[email protected]>
  • Loading branch information
viveksahu26 committed Sep 9, 2024
2 parents 80ae86f + 403d97c commit 962bb40
Show file tree
Hide file tree
Showing 22 changed files with 2,061 additions and 865 deletions.
10 changes: 7 additions & 3 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -13,13 +13,17 @@ COPY . .
ARG TARGETOS TARGETARCH
RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -a -o sbomqs .

RUN chmod +x sbomqs

# Final stage
FROM scratch
FROM alpine:3.19
LABEL org.opencontainers.image.source="https://github.com/interlynk-io/sbomqs"
LABEL org.opencontainers.image.description="Quality metrics for your sboms"
LABEL org.opencontainers.image.description="Quality & Compliance metrics for your sboms"
LABEL org.opencontainers.image.licenses=Apache-2.0

# Copy our static executable
COPY --from=builder /app/sbomqs /app/sbomqs

# Disable version check
ENV INTERLYNK_DISABLE_VERSION_CHECK=true

ENTRYPOINT ["/app/sbomqs"]
66 changes: 60 additions & 6 deletions Features.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@
limitations under the License.
-->


# SBOM Quality Checks

This page describes each SBOM Quality check in detail, including scoring criteria,
Expand All @@ -25,16 +24,19 @@ If you have ideas for additions or new detection techniques,
please [contribute](https://github.com/interlynk-io/sbomqs#contributions)!

## Taxonomy

- A `Quality Check` is a test that can be performed on SBOM to return a binary result (e.g., A check for specification)
- A `Quality Check Category` is a logical grouping of Quality Checks (e.g., "NTIA-Minimum-Elements" Checks)
- A `Quality Check Set` is a collection of Quality Checks (e.g., "Default Check Set", "IoT Quality Set")

## Scoring Methodology

- Each Quality Check has an equal weight and a score range of 0.0 - 10.0. (Coming soon: Customization of weight per Quality Check)
- A Quality Check applied over a list of items (e.g., licenses) averages its score from the Check applied to each element.
- Quality Check Set Score is an average of scores over all Quality Checks in that Set.

## Check Set Versioning

Any Check Set, including the default Check Set, may change over time as new Checks are added, existing ones are removed and meaning of an existing one changes.
Such a breaking change is marked by incrementing `scoring_engine_version` in the output of `sbomqs`.

Expand All @@ -43,68 +45,85 @@ Therefore comparing Quality Scores across `scoring_engine_version` is not recomm
## Quality Check Sets - Interlynk (Default)

### Category: Structural

---

#### Specification

This check determines whether the SBOM is in one of the specifications (CycloneDX, SPDX, SWID) recommended by the [CISA reference document](https://ntia.gov/sites/default/files/publications/ntia_sbom_framing_2nd_edition_20211021_0.pdf) .

CISA recommends limiting
the document to three commonly used formats to facilitate widespread adoption.


***Remediation***

- Re-create the document in CycloneDX, SPDX, or SWID.

---

#### Specification Version

This check determines whether the given SBOM is in the specification version that can support fields necessary for typical SBOM operations.
The current check tests for:

- CycloneDX Versions: 1.0, 1.1, 1.2, 1.3, 1.4
- SPDX Versions: 2.1, 2.2, 2.3

While the earlier versions of specifications may exist, a document in an earlier version will not be able to carry all of the required fields.

***Remediation***

- Re-create the document in one of the versions listed above.

---

#### Specification File Format

This check determines whether the given SBOM can be easily consumed by testing for the most common file formats associated with the specification.

- CycloneDX: XML, JSON
- SPDX: JSON, YAML, RDF, tag/value

Building and sharing SBOM in the most commonly used file format enables the use of SBOM in various conditions.

***Remediation steps***

- Re-create the document in one of the file formats listed above.

---

#### Specification Syntax

This check determines whether the given SBOM meets all the requirements of the underlying specification and file format to be parsed.

A syntactic error in the SBOM will prevent it from being usable.

***Remediation***

- Check the SBOM generator tool's known issues and get the most recent version of the tool.
- Check options/setup of the environment variables required to use the tool.
- Build SBOM with a different tool.

---
### Category: NTIA-Minimum-Elements

## Category: NTIA-Minimum-Elements

---

#### Component Name

This check determines whether each component in the SBOM includes a name.

Components must have a name to be used meaningfully to assess compliance or security risk.

**Remediation**

Identify the component with a missing name and check its product page to get its name.

- CycloneDX field: [components:name](https://cyclonedx.org/docs/1.4/json/#components_items_name)
- SPDX field: [PackageName](https://spdx.github.io/spdx-spec/v2.3/package-information/#71-package-name-field)

---

#### Supplier Name

This check determines whether each component in the SBOM includes a supplier name. Supplier name is not a well defined term
Expand All @@ -113,9 +132,12 @@ especially in the context of Open Source projects and we will update the recomme
***Remediation***

Identify the component with a missing supplier name and check its product page to get its supplier name.

- CycloneDX field: [components:supplier](https://cyclonedx.org/docs/1.4/json/#components_items_supplier)
- SPDX field: [PackageSupplierName](https://spdx.github.io/spdx-spec/v2.3/package-information/#75-package-supplier-field)

---

#### Unique Identifier

This check determines whether each component in the SBOM includes a unique identifier.
Expand All @@ -125,10 +147,12 @@ Unique component identifiers are essential to ensure the document can uniquely d
***Remediation***

Identify the component with a missing/duplicate identifier.

- CycloneDX field: [components:bom-ref](https://cyclonedx.org/docs/1.4/json/#components_items_bom-ref)
- SPDX field: [SPDXID](https://spdx.github.io/spdx-spec/v2.3/package-information/#72-package-spdx-identifier-field)

---

#### Component Version

This check determines whether each component in the SBOM includes a version.
Expand All @@ -137,9 +161,12 @@ Components without a version can not be checked for vulnerabilities.

***Remediation***
Identify the component with the missing version and populate the version field below.

- CycloneDX field: [components:version](https://cyclonedx.org/docs/1.4/json/#components_items_version)
- SPDX field: [PackageVersion](https://spdx.github.io/spdx-spec/v2.3/package-information/#73-package-version-field)

---

#### Author Name

This check determines whether the document includes the name of the author.
Expand All @@ -148,36 +175,44 @@ The person, organization, or the tool that created the SBOM must be specified as

***Remediation***
Check and populate the following fields with the name of the person, organization, or tool creating the SBOM.

- CycloneDX field: [metadata:authors](https://cyclonedx.org/docs/1.4/json/#metadata_authors)
- SPDX field: [Creator](https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#68-creator-field)

---

#### Timestamp

This check determines if the document includes the timestamp of its creation.

The timestamp can be used to determine when the SBOM was created relative to the software itself.

***Remediation steps***

- Check and populate the following fields with the timestamp of the SBOM document.
- CycloneDX field: [metadata:timestamp](https://cyclonedx.org/docs/1.4/json/#metadata_timestamp)
- SPDX field: [Created](https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#69-created-field)

---

#### Relationship among Components

This check determines if the document describes the relationship among included components.

The dependency relationship can be critical in determining the order of inclusion and updates.

***Remediation***

- Check and populate the following fields with the relationship of components in the SBOM.
- CycloneDX field: [dependencies](https://cyclonedx.org/docs/1.4/json/#dependencies)
- SPDX field: [Relationship](https://spdx.github.io/spdx-spec/v2.3/relationships-between-SPDX-elements/#111-relationship-field)

---

### Category: Semantic

---

#### Component Checksum

This check determines whether each component in the SBOM includes a valid checksum.
Expand All @@ -192,6 +227,7 @@ A valid checksum can be used to independently identify the contents of the packa


---

#### Component License

This check determines whether each component in the SBOM includes a valid license.
Expand All @@ -201,10 +237,12 @@ A declared valid SPDX license is the key to evaluating any compliance risks.
***Remediation steps***

Check and populate the following fields with the relationship of components in the SBOM.

- CycloneDX field: [component:licenses](https://cyclonedx.org/docs/1.4/json/#components_items_licenses)
- SPDX fields: [PackageLicenseConcluded](https://spdx.github.io/spdx-spec/v2.3/package-information/#713-concluded-license-field), (Coming Soon) [LicenseConcluded](https://spdx.github.io/spdx-spec/v2.3/file-information/#85-concluded-license-field)

---

#### Required Fields

This check determines whether several fields required by the underlying specification are present in the document.
Expand All @@ -214,13 +252,16 @@ With the required fields, the SBOM processing becomes consistent by different to
***Remediation***

Check and populate the following required fields:

- CycloneDX Fields: [bomFormat](https://cyclonedx.org/docs/1.4/json/#bomFormat), [SpecVersion](https://cyclonedx.org/docs/1.4/json/#specVersion), [Version](https://cyclonedx.org/docs/1.4/json/#version), [component:type](https://cyclonedx.org/docs/1.4/json/#components_items_type),[component:name](https://cyclonedx.org/docs/1.4/json/#components_items_name)
- SPDX Fields: [CreationInfo](https://spdx.github.io/spdx-spec/v2.3/document-creation-information/), [Creator](https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#68-creator-field), [Created](https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#69-created-field), [SPDXVersion](https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#61-spdx-version-field), [DataLicense](https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#62-data-license-field), [SPDXIdentifier](https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#63-spdx-identifier-field), [DocumentName](https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#64-document-name-field), [DocumentNamespace](https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#65-spdx-document-namespace-field), [PackageName](https://spdx.github.io/spdx-spec/v2.3/package-information/#71-package-name-field), [PackageSPDXIdentifier](https://spdx.github.io/spdx-spec/v2.3/package-information/#72-package-spdx-identifier-field), [PackageDowloadLocation](https://spdx.github.io/spdx-spec/v2.3/package-information/#77-package-download-location-field), [PackageVerificationCode](https://spdx.github.io/spdx-spec/v2.3/package-information/#79-package-verification-code-field) (if applicable)


---

### Category: Quality

---

#### Vulnerability Lookup Identifier

This check determines whether at least one vulnerability lookup identifier (CPE/PURL) is present for each component.
Expand All @@ -234,6 +275,7 @@ A vulnerability lookup identifier is critical in mapping SBOM components to know
- SPDX fields: [ExternalRef with CPE or PURL](https://spdx.github.io/spdx-spec/v2.3/package-information/#721-external-reference-field)

---

#### Multiple Vulnerability Lookup Identifier

This check determines whether multiple vulnerability lookup identifiers are present for each component.
Expand All @@ -243,10 +285,12 @@ Including more than one vulnerability lookup identifier can enable vulnerability
***Remediation***

Check and populate the following fields:

- CycloneDX field: [components:cpe](https://cyclonedx.org/docs/1.4/json/#components_items_cpe) AND [components:purl](https://cyclonedx.org/docs/1.4/json/#components_items_purl)
- SPDX fields: [ExternalRef with CPE AND PURL](https://spdx.github.io/spdx-spec/v2.3/package-information/#721-external-reference-field)

---

#### Valid SPDX License

This check determines whether all included licenses are valid SPDX [licenses or license expressions](https://spdx.org/licenses/).
Expand All @@ -260,6 +304,7 @@ Any license expression not found on the SPDX list is a commercial license and mu
- SPDX fields: [PackageLicenseConcluded](https://spdx.github.io/spdx-spec/v2.3/package-information/#713-concluded-license-field), (Coming Soon) [LicenseConcluded](https://spdx.github.io/spdx-spec/v2.3/file-information/#85-concluded-license-field)

---

#### Deprecated License

This check determines whether any of the included licenses have been declared deprecated.
Expand All @@ -271,7 +316,9 @@ A deprecated license declaration can be considered a compliance risk.
- Check the following fields to confirm none of the licenses belong to the [deprecated licenses](https://spdx.org/licenses/):
- CycloneDX field: [component:licenses](https://cyclonedx.org/docs/1.4/json/#components_items_licenses)
- SPDX fields: [PackageLicenseConcluded](https://spdx.github.io/spdx-spec/v2.3/package-information/#713-concluded-license-field), (Coming Soon) [LicenseConcluded](https://spdx.github.io/spdx-spec/v2.3/file-information/#85-concluded-license-field)

---

#### Restricted License

This check determines whether any included licenses have been declared restricted for use.
Expand All @@ -285,6 +332,7 @@ A restricted license declaration can be considered a compliance risk.
- SPDX fields: [PackageLicenseConcluded](https://spdx.github.io/spdx-spec/v2.3/package-information/#713-concluded-license-field), (Coming Soon) [LicenseConcluded](https://spdx.github.io/spdx-spec/v2.3/file-information/#85-concluded-license-field)

---

#### Primary Purpose

This check determines whether the SBOM component includes the Primary Purpose field.
Expand All @@ -294,10 +342,12 @@ The primary purpose (or type) indicates the use of the component inside the appl
***Remediation steps***

Check the following fields to confirm none of the licenses belong to the [restricted license list](https://opensource.google/documentation/reference/thirdparty/licenses):

- CycloneDX field: [component:type](https://cyclonedx.org/docs/1.4/json/#components_items_type)
- SPDX fields: [PrimaryPackagePurpose](https://spdx.github.io/spdx-spec/v2.3/package-information/#724-primary-package-purpose-field)

---

#### Primary Component Present

An sbom is expected to describe a primary component. This check determines if the sbom has
Expand All @@ -308,15 +358,19 @@ a primary component or not.
- CycloneDX: ensure the metadata section has the primary [component](https://cyclonedx.org/docs/1.5/json/#metadata_component) defined
- SPDX: Should have a [DESCRIBES](https://spdx.github.io/spdx-spec/v2.3/relationships-between-SPDX-elements/) relationship which points to a package, or have a documentDescribes field present.


---

### Category: Sharing

---

#### Unencumbered License

This check determines whether the SBOM can be shared easily because it includes an unencumbered license: [CC0](https://spdx.org/licenses/CC0-1.0), [Unlicense](https://spdx.org/licenses/Unlicense.html), [0BSD](https://spdx.org/licenses/0BSD.html)

Check the following fields to see if the license includes one of the above licenses:

- CycloneDX field: [metadata:licenses](https://cyclonedx.org/docs/1.4/json/#metadata_licenses)
- SPDX fields: [DataLicense](https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#62-data-license-field)

---
Loading

0 comments on commit 962bb40

Please sign in to comment.