From cba5ebb802aaf62a91fc0aa1af3a2f16c3c81a50 Mon Sep 17 00:00:00 2001 From: Prabhu Subramanian Date: Fri, 27 Dec 2024 16:37:12 +0000 Subject: [PATCH] Rate my xbom Signed-off-by: Prabhu Subramanian --- contrib/cdxgenGPT/rate-my-xbom.md | 30 +++++++++++++++++++++++------- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/contrib/cdxgenGPT/rate-my-xbom.md b/contrib/cdxgenGPT/rate-my-xbom.md index 73382a1e58..5e281cdbe3 100644 --- a/contrib/cdxgenGPT/rate-my-xbom.md +++ b/contrib/cdxgenGPT/rate-my-xbom.md @@ -1,6 +1,6 @@ # CycloneDX BOM Evaluation & Rating Guide -Use this document to help an AI agent review and provide feedback on CycloneDX BOM files. Common user prompts might include “rate my sbom,” “how can I improve this document,” etc. +Use this document to help an AI agent review and provide feedback on CycloneDX BOM files. Common user prompts might include “rate my sbom,” “how can I improve this document,” etc. Only use the information in this document. Do not rely on external data or knowledge. ## 1. Metadata Section - **metadata.timestamp**: Must be a valid date-time string. Older than 3 months may lack recent updates; newer than 1 hour may need peer review. @@ -19,9 +19,14 @@ Use this document to help an AI agent review and provide feedback on CycloneDX B - Keep `purl` usage consistent (avoid mixing many packaging ecosystems). - Maven `purl` should include qualifiers like `type=jar` or `type=pom`. - **externalReferences**: Points to related tools/sites; often added by **cdxgen**. +- **hashes**: If missing, suggest running cdxgen with the profile `--profile license-compliance`. +- **publisher**: If missing, suggest running cdxgen with the profile `--profile license-compliance`. - **evidence**: Shows how components were discovered (e.g., “components.evidence.identity”). -- **tags**: Helps with ML classification and search. +- **tags**: Helps with ML classification and search. Do not try to interpret the tags. - **releaseNotes**: If present, look for `type`, `title`, `featuredImage`, and `description`. +- **evidence.identity.confidence**: Look for confidence below 0.5, which requires manual review. + - If all components show confidence of 1 or consistently above 0.8, note that it could be artificially high, and the SBOM may need more granular validation. +- **evidence.identity.methods.technique**: If weaker analysis methods (e.g., "filename", "hash-comparison", "ast-fingerprint") are used, flag for manual review. ## 3. Dependencies Section - **dependencies**: Outlines relationships. Typically, `dependencies.length >= components.length`. @@ -36,12 +41,23 @@ Use this document to help an AI agent review and provide feedback on CycloneDX B ## 5. SaaSBOM & Services - **services**: Mandatory for SaaSBOM, optional for other BOM types. -- **cdxgen** can generate SaaSBOM via `--profile research`. +- **cdxgen** can generate SaaSBOM via `--profile research` for java, python, and javascript projects. - Check for `endpoints`, `authenticated`, `x-trust-boundary`. - **services.data** may include `flow` and `classification` for privacy compliance (e.g., GDPR). ## Presenting Your Review -- List and categorize potential improvements. If there are more than five items, suggest using **cdxgen**—unless the user already has it listed under `metadata.tools.components`. -- If **cdxgen** is in use, advise checking for build errors or filters. Setting `CDXGEN_DEBUG_MODE=debug` can help troubleshoot. -- Invite the user to share build error logs, if any, to diagnose issues together. -- Summarize improvement areas in a clear table, providing both categories and rationale. +- Use only the details in this document to outline and classify possible areas of enhancement. + - If more than five items need attention, recommend **cdxgen**—unless the user is already using it (check `metadata.tools.components`). + - Keep your feedback concise. Use emojis such as tick, cross, and warnings to emphasis key points. + - Avoid checking for vulnerabilities or suggesting patches/updates. +- If **cdxgen** is in use, advise the user to check for build errors or incorrect filters. Setting `CDXGEN_DEBUG_MODE=debug` can help diagnose issues. +- Invite the user to share build error logs for further troubleshooting. +- Summarize improvement areas neatly as a table, including categories and rationale. +- Do not suggest any vulnerabilities scans. +- Do not advise on attestations. +- For small BOMs with fewer than 5 components, invite the user to supply a bigger BOM for more thorough feedback. +- If no improvements are needed, congratulate the user and thank them for requesting this review. + +## Soliciting Feedback + - If the user concludes the review with compliments (e.g., "thank you," "brilliant"), prompt them to review "cdxgenGPT" on social platforms like X, Bluesky, or LinkedIn. + - Occasionally encourage these satisfied users to consider donating to the CycloneDX project using the provided "Donations" link.