Add compliance report for BSI Technical Guideline TR-03183

Compliance.md

@@ -0,0 +1,33 @@
+# Compliance Reports
+
+sbomqs now helps generating compliance reports for your sboms. We support industry standard requirements
+like NTIA minimum elements, BSI CRA TR-03183 v1.1 and OWASP SCVS. 
+
+The goal of compliance reports is to verify if the sbom file adheres to these standard, before they are distributed. 
+
+We have explained below how sbomqs approaches compliance reports for BSI CRA TR-03183 v1.1. We are not going to explain
+the spec here, but rather go into our intepretation of it. 
+
+
+The [BSI CRA TR-03183 v1.1](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2.pdf?__blob=publicationFile&v=5) which is in draft currently specifies that the compilation of an SBOM is mandatory. Below is how we have derived all the values.
+
+| TR-03183 | TR-03183 field | CycloneDx | SPDX(2.3) | Notes |
+| :---     | :---    |     :---      |          :--- | :--- |
+|4. SBOM formats| `specification`  | BomFormat     | SPDXversion    | CycloneDX and SPDX only |
+|| `specification version`  | SpecVersion     | SPDXversion    | CycloneDX 1.4 and above, SPDX 2.3 and above |
+|5.1 Level of Detail| `Build SBOM`     | metadata->lifecycles (1.5 and above)       |  no-deterministic-field      | |
+|| `Depth`   | dependencies, compositions     | relationships    | A complex topic, mostly resolved via attestations via compositions, but spdx lacks that field now|
+|5.2.1 Required SBOM fields| `creator` | metadata->authors, metadata->supplier | creator | We are primarily looking for email or url from these fields, if the name exists but email/url missing its deemed non-compliant|
+|    | | metadata->manufacturer | | |
+|| `timestamp`| metadata->timestamp| created |  |
+|5.2.2 Required Component fields| `creator` | component->supplier | packageSupplier, packageOriginator | Looking for email or url, for spdx, we check supplier then originatior(manufacturer)|
+|| `name` | component->name| package->name| |
+|| `version` | component->version| package->version| |
+|| `dependencies` | dependencies, compositions| relationships| cdx we look for attestations via compositions, spdx nothing exists|
+|| `license`| component->license| packageConcluded, packageDeclated| we lookup sdpx,spdx-exceptions,aboutcode, and licenseRef-|
+|| `hash` | component->hashes | package->checksums | we only look for sha-256|
+|5.3.1 Additional Component fields | `SBOM-URI`| serialNumber, version | namespace | for cdx bom-link is considered a URN |
+| | `source code uri`| component->externalReferences->type (vcs) | no-deterministic-field | |
+| | `URI of the executable form`| component->externalReferences->type (distribution/distribution-intake) | PackageDownloadLocation | |
+| | `hash of source code`| no-deterministic-field | package->PackageVerificationCode | |
+| | `other uniq identifiers`| component->cpe, component->purl| package->externalReference->security (cpe/purl) | |

README.md

@@ -40,6 +40,11 @@ other installation [options](#installation).
 sbomqs score <sbom-file>
 ```
 
+#### Compliance Report: CRA TR-03183 for an sbom
+```sh
+sbomqs compliance -c samples/photon.spdx.json
+```
+
 #### Quality Score with a shareable link at [sbombenchmark.dev](https://sbombenchmark.dev/).  
 ```sh
 sbomqs share <sbom-file>
@@ -232,6 +237,50 @@ json format
 }
 ```
 
+# Compliance Reports
+sbomqs can now produce compliance reports for industry standard requirements. Currently we support [BSI CRA TR-03183 v1.1](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2.pdf?__blob=publicationFile&v=5). More details about the CRA
+requirements are avaliable [here](./Compliance.md). 
+
+## Reports 
+- [BSI CRA TR-03183 v1.1](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2.pdf?__blob=publicationFile&v=5)
+- [NTIA minimum element](https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf) - Coming soon.
+- [OWASP SCVS](https://scvs.owasp.org/bom-maturity-model/) - Coming soon.
+
+Example of a BSI CRA report
+```
+{
+  "report_name": "Cyber Resilience Requirements for Manufacturers and Products Report",
+  "subtitle": "Part 2: Software Bill of Materials (SBOM)",
+  "revision": "TR-03183-2 (1.1)",
+  "run": {
+    "id": "375c288b-0928-4066-9e3a-b8655ac29f91",
+    "generated_at": "2024-04-18T03:22:56Z",
+    "file_name": "samples/photon.spdx.json"
+  },
+  "tool": {
+    "name": "sbomqs",
+    "version": "v0.0.30-23-g344a584-dirty",
+    "vendor": "Interlynk (https://interlynk.io)"
+  },
+  "summary": {
+    "total_score": 4.20,
+    "max_score": 10,
+    "required_elements_score": 5.91,
+    "optional_elements_score": 2.50
+  },
+"sections": [
+    {
+      "section_title": "SBOM formats",
+      "section_id": "4",
+      "section_data_field": "specification",
+      "required": true,
+      "element_id": "sbom",
+      "element_result": "spdx",
+      "score": 10
+    },
+...
+```
+
 
 # SBOM Samples
 - A sample set of SBOM is present in the [samples](https://github.com/interlynk-io/sbomqs/tree/main/samples) directory above

cmd/compliance.go

@@ -0,0 +1,88 @@
+// Copyright 2024 Interlynk.io
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package cmd
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/interlynk-io/sbomqs/pkg/engine"
+	"github.com/interlynk-io/sbomqs/pkg/logger"
+	"github.com/spf13/cobra"
+)
+
+var complianceCmd = &cobra.Command{
+	Use:   "compliance <sbom file>",
+	Short: "compliance command checks the sbom for compliance with sbom standards",
+	Long: `Check if you sbom complies with various sbom standards like NTIA minimum elements, CRA TR-03183.
+	Generate a compliance report for the sbom file.
+	`,
+	Args: func(cmd *cobra.Command, args []string) error {
+		if err := cobra.ExactArgs(1)(cmd, args); err != nil {
+			return fmt.Errorf("compliance requires a single argument, the path to the sbom file")
+		}
+
+		return nil
+	},
+	RunE: func(cmd *cobra.Command, args []string) error {
+		debug, _ := cmd.Flags().GetBool("debug")
+		if debug {
+			logger.InitDebugLogger()
+		} else {
+			logger.InitProdLogger()
+		}
+
+		ctx := logger.WithLogger(context.Background())
+
+		engParams := setupEngineParams(cmd, args)
+		return engine.ComplianceRun(ctx, engParams)
+	},
+}
+
+func setupEngineParams(cmd *cobra.Command, args []string) *engine.Params {
+	engParams := &engine.Params{}
+
+	// engParams.Basic, _ = cmd.Flags().GetBool("basic")
+	// engParams.Detailed, _ = cmd.Flags().GetBool("detailed")
+	engParams.Json, _ = cmd.Flags().GetBool("json")
+	//engParams.Pdf, _ = cmd.Flags().GetBool("pdf")
+
+	// engParams.Ntia, _ = cmd.Flags().GetBool("ntia")
+	engParams.Cra, _ = cmd.Flags().GetBool("cra")
+
+	engParams.Debug, _ = cmd.Flags().GetBool("debug")
+
+	engParams.Path = append(engParams.Path, args[0])
+
+	return engParams
+}
+
+func init() {
+	rootCmd.AddCommand(complianceCmd)
+
+	//Debug control
+	complianceCmd.Flags().BoolP("debug", "D", false, "enable debug logging")
+
+	//Output control
+	complianceCmd.Flags().BoolP("json", "j", false, "output in json format")
+	// complianceCmd.Flags().BoolP("basic", "b", false, "output in basic format")
+	// complianceCmd.Flags().BoolP("detailed", "d", false, "output in detailed format")
+	//complianceCmd.Flags().BoolP("pdf", "p", false, "output in pdf format")
+	// complianceCmd.MarkFlagsMutuallyExclusive("json", "basic", "detailed")
+
+	//Standards control
+	// complianceCmd.Flags().BoolP("ntia", "n", false, "check for NTIA minimum elements compliance")
+	complianceCmd.Flags().BoolP("cra", "c", false, "CRA TR-03183 v1.1 compliance")
+	// complianceCmd.MarkFlagsMutuallyExclusive("ntia", "cra")
+}