interlynk-io / sbomqs Goto Github PK
View Code? Open in Web Editor NEWSBOM quality score - Quality metrics for your sboms
License: Apache License 2.0
SBOM quality score - Quality metrics for your sboms
License: Apache License 2.0
Change to official link
Scoring for the two SBOMs at
even though both are prepared for the same image/tag with the same tool (syft-0.73.00). The root cause is bomFormat and version fields which are required in JSON and omitted from XML : https://cyclonedx.org/docs/1.4/xml/#element_bom
Expected Result:
Both sboms should produce identical scores.
sbomqs
uses the presence of CPE/PURL to check for 'Other unique identifiers' requirements. However, after discussing it with Kate Stewart here, it is clear that SPDXID alone can satisfy that criterion for the SDPX.
Let us change sbomqs
towards the original intent.
OWASP SCVS is formalizing verification requirements for SBOMs.
sbomqs rules to test SBOM against as well output should be aligned to meet the proposed checks in SCVS.
Add a user guide to help users of the tool, to understand the various use cases
Issue #48 requires checking for the presence of SPDXID to meet NTIA Minimum Elements requirement. However, the underlying original issue will leave SPDX SBOMs without a vulnerability lookup key (CPE/PURL) with the same score as the ones with such a key present.
I propose a new rule under Quality category called.
Components can be checked for vulnerabilities with a key
with values listing all components with a unique CPE/PURL present.
The score for a file like the one attached should be 8/15 components normalized to 10.0
bom-alpine-3.15.spdx.txt
NTIA minimum elements recommend SBOM to include known unknowns. A declaration of unknowns must be used to calculate quality - TBD>
Using brew directive, automate homebrew release via goreleaser.
Tool currently requires --filepath for input SBOM
--filepath string sbom file path
Let's make that default so that we can get this done
build/sbomqs score ~/sbom-samples/repos/trivy-bom.spdx
without --filepath
Lets use goreleaser to cross-compile binaries for various platform, this will help users to download binaries for their platform, without the need to compile this code.
https://goreleaser.com/
https://github.com/goreleaser/goreleaser
Integrate Dependabot to improve alerting and updates of underlying packages
As of version 0.0.4, sbomqs tests against a set of rules with equal weights and a max score of 10 for each, however, only some rules apply to some organizations (e.g., an organization using SBOMS for internal monitoring might not generate checksum).
The proposed enhancement is to list rules and weights for the rule in a configurable file and apply only the rules from that configuration. A sample configuration file could look like:
Rule 1: Components have versions
Rule 2: Components have uniq ids
Rule 3: Doc has authors
Final score = SUM(wiScore(Ri))
run is
sbomqs score --config scoring_config.yaml --filepath bom.cdx.json
The current readme is just a data dump. We need to structure it well for consumption.
When --reportFormat
is JSON, we must ensure:
I recommend following changes:
"run_id": "e6468750-1506-42ff-b635-16068fdcdb27",
"timestamp": "2023-02-27T20:37:11Z",
"creation_info": {
"name": "sbomqs",
"version": "v0.0.7",
"scoring_engine_version": "2"
},
"files": [
{
"file_name": "sboms/trivy-0.36.1_alpine-3.17.2.spdx.json",
"spec": "", # Cannot be filled
"spec_version": "", # Cannot be filled
"file_format": "json",
"avg_score": 0,
"error": "Error processing file: Invalid SBOM"
}```
Creator tool information is critical to tracking the creator's capabilities and maturity.
Rule Proposal Creator Tool information must be valid and include the tool's name and version.
Category Quality
Notes
Tool: toolidentifier-version
name: The name of the tool
version: The version of the tool
Score
0 if either tool name or version is missing
10 if both tool name and version are present.
A component's metadata in an SBOM is probably more accurate if the generator tool has analyzed the files for the repo. We should consider using this metric for scoring. We know this field exists for SPDX however for cyclonedx we are still re-searching how this is encoded.
Reference: Signing releases on GitHub
https://wiki.debian.org/Creating%20signed%20GitHub%20releases
Actual
Quality score for the test.spdx.txt
| Components have no deprecated | 10.0/10.0 | 0/331 components have | | | licenses | | deprecated licenses |
| Components have no restricted | 10.0/10.0 | 0/331 components have | | | licenses | | restricted licenses |
Expected
Given that all licenses are NOASSERTION (Line: 4686), which is not a useful value, the score should be 0/10.0
To be consistent with other output formats, added component counts to the json format.
This scoring method should fall under the "Quality" Category.
Restricted Licenses are licenses that require mandatory source distribution of the included application or library in which they are included.
Lets add the following licenses to this scoring method
We need a scoring check in quality if the sbom, describes a main component. I'm not sure what does multiple document describe in SPDX means, but we can discuss that.
@surendrapathak
e.g
SPDX has a documentDescribes
CycloneDX has metadata->component
As of v0.0.7, any error from processFile(
Line 81 in 1d31e60
sbomqs score --filepath flux_sbom.spdx.json --reportFormat basic
failed to parse flux_sbom.spdx.json
Error: error processing file
Usage:
sbomqs score [flags]
Flags:
--category string scoring category
--dirpath string sbom dir path
--filepath string sbom file path
-h, --help help for score
--reportFormat string reporting format basic/detailed/json
The tool should provide actionable error messages e.g.
In addition:
Consider two SBOMs (CDX-JSON/SPDX-TV) for the same image/tag below.
sbomqs score --filepath /Users/spathak/interlynk/sbomlc/trivy-0.36.1_busybox-1-glibc.cdx.json --category NTIA-minimum-elements
SBOM Quality Score:2.9 components:0 /Users/spathak/interlynk/sbomlc/trivy-0.36.1_busybox-1-glibc.cdx.json
+-----------------------+--------------------------------+-----------+--------------------------------+
| CATEGORY | FEATURE | SCORE | DESC |
+-----------------------+--------------------------------+-----------+--------------------------------+
| NTIA-minimum-elements | Components have supplier names | 0.0/10.0 | 0/0 have supplier names |
+ +--------------------------------+-----------+--------------------------------+
| | Components have names | 0.0/10.0 | 0/0 have names |
+ +--------------------------------+-----------+--------------------------------+
| | Doc has authors | 10.0/10.0 | doc has 1 authors |
+ +--------------------------------+-----------+--------------------------------+
| | Doc has creation timestamp | 10.0/10.0 | doc has creation timestamp |
| | | | 2023-02-28T07:16:03+00:00 |
+ +--------------------------------+-----------+--------------------------------+
| | Doc has relationships | 0.0/10.0 | doc has 0 relationships |
+ +--------------------------------+-----------+--------------------------------+
| | Components have uniq ids | 0.0/10.0 | 0/0 have unique ID's |
+ +--------------------------------+-----------+--------------------------------+
| | Components have versions | 0.0/10.0 | 0/0 have versions |
+-----------------------+--------------------------------+-----------+--------------------------------+
sbomqs score --filepath /Users/spathak/interlynk/sbomlc/trivy-0.36.1_busybox-1-glibc.spdx.tv --category NTIA-minimum-elements
SBOM Quality Score:7.1 components:1 /Users/spathak/interlynk/sbomlc/trivy-0.36.1_busybox-1-glibc.spdx.tv
+-----------------------+--------------------------------+-----------+--------------------------------+
| CATEGORY | FEATURE | SCORE | DESC |
+-----------------------+--------------------------------+-----------+--------------------------------+
| NTIA-minimum-elements | Components have supplier names | 0.0/10.0 | 0/1 have supplier names |
+ +--------------------------------+-----------+--------------------------------+
| | Components have names | 10.0/10.0 | 1/1 have names |
+ +--------------------------------+-----------+--------------------------------+
| | Doc has relationships | 10.0/10.0 | doc has 1 relationships |
+ +--------------------------------+-----------+--------------------------------+
| | Doc has creation timestamp | 10.0/10.0 | doc has creation timestamp |
| | | | 2023-01-30T02:05:22Z |
+ +--------------------------------+-----------+--------------------------------+
| | Components have versions | 0.0/10.0 | 0/1 have versions |
+ +--------------------------------+-----------+--------------------------------+
| | Components have uniq ids | 10.0/10.0 | 1/1 have unique ID's |
+ +--------------------------------+-----------+--------------------------------+
| | Doc has authors | 10.0/10.0 | doc has 2 authors |
+-----------------------+--------------------------------+-----------+--------------------------------+
The resulting ordering needs to be more consistent. For example, check Doc has authors
is 2nd check with CycloneDX but the last check is with SPDX.
Expected behavior
The result ordering is consistent across SBOM types.
Goal
To achieve the following method of installing sbomqs
$brew new-tap interlynk-io/sbomqs
$brew install sbomqs
$brew update sbomqs
Great tool!
An ability via a command-line flag to output the results in JSON would be much appreciated. I know I would benefit. Perhaps other users would benefit too.
Currently we check a components metadata for presence of licenses, however we do not check for copyright information. The presence of this information, helps consumer tooling to better consume this SBOM.
ChatGPT
Copyright and license are related but distinct concepts in the realm of intellectual property law.
Copyright is a legal right granted to the creator of an original work, such as a literary, artistic, or musical work, which gives the creator the exclusive right to use, reproduce, distribute, display, and perform the work. Copyright protection is automatic and does not require registration, although registration can provide additional benefits, such as the ability to sue for infringement and recover damages.
A license, on the other hand, is a legal agreement between the copyright holder and another party that grants permission to use the copyrighted work in certain ways. Licenses can be exclusive or non-exclusive, and can specify the scope, duration, and terms of use of the copyrighted work. In other words, a license is a formal permission granted by the copyright holder to another party to use the work under certain conditions.
In summary, copyright is a legal right that protects the original works of creators, while a license is a legal agreement that grants permission to use a copyrighted work in certain ways. A license is a means by which the copyright holder can permit others to use their copyrighted work while still retaining ownership and control over it.
It appears that on Goals; Goal 1, assess is misspelled on readme.md.
It appears that on Goals; Goal 1, assess is misspelled.
sbomqs score --filepath ~/Downloads/bomber.cyclonedx.json --reportFormat json
{
"run_id": "e2c649b0-b33a-4e60-b973-d98bc9b5182c",
"timestamp": "2023-03-16T22:22:07Z",
"creation_info": {
"name": "sbomqs",
"version": "v0.0.10",
"scoring_engine_version": "4"
},
"files": [
{
"file_name": "/Users/spathak/Downloads/bomber.cyclonedx.json",
"spec": "spdx",
"spec_version": "SPDX-2.3",
Expected Behavior
The file_name should only include name of the file
Actual Behavior
The file_name includes an entire path to the file (/Users/spathak/ etc).
Actual
Quality score for the test.spdx.txt
file results in 10.0/10.0 score for supplier names:
| | Components have supplier names | 10.0/10.0 | 331/331 have supplier names |
Expected
Given that all supplier names are NOASSERTION (Line: 4682), which is not a useful value, the score should be 0/10.0
when --reportFormat
is JSON, we want to improve certain parts:
"file_name": "/Users/spathak/Downloads/bomber.cyclonedx.json",
"spec": "spdx",
"spec_version": "SPDX-2.3",
"file_format": "json",
"avg_score": 7.945727482678983,
"creation_info": {
"name": "syft",
"version": "v0.73.0"
}
Add support to score SBOM generated in SWID format
SWID tags can be used as an SBOM, since they provide identifying information for a software
component, a listing of files and cryptographic hashes for the constituent artifacts that make up
a software component, and provenance information about the SBOM (tag) creator and software
component creator. Tags can explicitly link to other tags, enabling a representation of a
dependency tree
Currently we implicitly trust the content in a CPE field to be a valid CPE. Its quite possible
the CPE does not follow the CPE specification.
To ensure that in fact these URL match spec, we should introduce cpe as a type, with a Valid method.
Same as #22 for category
Expected:
error in category value ('NTIA-minimum-element') should be reported with a help message
The exit code should not be 0
Users would like to be able to share their sbom scores with sbom generators or consumers. We can enable this workflow by providing a share command in sbomqs.
Host: https://sbombenchmark.dev
Api: /user/score
Req: Post
Body: json request
sbomqs share <sbom-file>
SBOM Quality Score:6.3 components:23 cdxgen-bom.json
ShareLink: https://sbombenchmark.dev/user/score?id=f0c3a36a-25e5-4da5-af3c-fe350489b85d
The attached sbom has a score of 0 for all component checks.
Example:
sbomqs score --filepath /Users/spathak/interlynk/sbomlc/trivy-0.36.1_busybox-1-glibc.cdx.json --category NTIA-minimum-elements
SBOM Quality Score:2.9 components:0 /Users/spathak/interlynk/sbomlc/trivy-0.36.1_busybox-1-glibc.cdx.json
+-----------------------+--------------------------------+-----------+--------------------------------+
| CATEGORY | FEATURE | SCORE | DESC |
+-----------------------+--------------------------------+-----------+--------------------------------+
| NTIA-minimum-elements | Doc has creation timestamp | 10.0/10.0 | doc has creation timestamp |
| | | | 2023-02-28T07:16:03+00:00 |
+ +--------------------------------+-----------+--------------------------------+
| | Components have supplier names | 0.0/10.0 | 0/0 have supplier names |
+ +--------------------------------+-----------+--------------------------------+
| | Doc has relationships | 0.0/10.0 | doc has 0 relationships |
+ +--------------------------------+-----------+--------------------------------+
| | Components have uniq ids | 0.0/10.0 | 0/0 have unique ID's |
+ +--------------------------------+-----------+--------------------------------+
| | Components have names | 0.0/10.0 | 0/0 have names |
+ +--------------------------------+-----------+--------------------------------+
| | Components have versions | 0.0/10.0 | 0/0 have versions |
+ +--------------------------------+-----------+--------------------------------+
| | Doc has authors | 10.0/10.0 | doc has 1 authors |
+-----------------------+--------------------------------+-----------+--------------------------------+
However, the sbom itself has no components. Therefore, it should be not be given low score for missing names/ids.
Expected Behavior
If the component list is empty, assume SBOM is accurate and default to providing a full score (10.0) for checks requiring component details
In the multi vuln lookup rule, we check to see if a component has both CPE & PURL. Our thinking was the more the merrier for looking up the vuln in NVD. CPE have been known to be error prone and manual. This scoring rule could influence sbom generators to just put in a CPE, even if they dont have the correct data.
We should re-evaluate if this is a legit concern or not.
We already make use of goreleaser. Now using github actions we can auto-release when a new tag is made.
Check github if new versions of the tools are avaliable and inform the user.
Surface component depth in all reporting formats.
Add sbom to sbomqs release output
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.