Skip to content

Latest commit

 

History

History
97 lines (75 loc) · 3.42 KB

README.md

File metadata and controls

97 lines (75 loc) · 3.42 KB

SBOM-Tester

Project Status: WIP – Initial development is in progress, but there has not yet been a stable, usable release suitable for the public.

This a simple script that takes a CycloneDX SBOM in JSON format and analyses it against certain quality factors. Namely,

  1. Correctness and presence of PURLs.
  2. Correctness and presence of licenses per purl. Note: it correlates against SPDX-license ids.
  3. Whether the SBOM entails the dependency tree
  4. The presence of an operating system
  5. Whether the SBOM contains information on the tool that was used to create it

Usage

  1. Install required libraries
pip install -r requirements.txt

Note: create a virtual env first

python -m env venv

source env/bin/activate
  1. Run CLI and generate a report you may pass a directory with many SBOM files or a single file.
python main.py test/ --report 
  1. Example report
[
  {
    "filename": "test/cyclonedx-bom.json",
    "purls": 378,
    "percentage_valid_purl": 1.0,
    "licenses": {
      "valid_licenses": 372,
      "percentage_valid_license_id": 0.98
    },
    "is_schema_compliant": true,
    "operating_system": {
      "has_os": false,
      "os_found": null
    },
    "sbom_tool": {
      "has_tool": true,
      "tools": []
    },
    "has_dependency_tree": true,
    "quality_score": 0.895
  }
]

Note the ./test folder contains CycloneDX SBOMs created for the vsm-webshop project with the CycloneDX python plugin, Syft, Trivy and ORT. Feel free to play with those.

Scoring

You'll find that in analyser.py the function grade_sbom contains the weights for the above the factors:

 weights = {
        "has_dependency_tree": 0.2,
        "valid_bom": 0.1,
        "has_operating_system": 0.1,
        "valid_licenses": 0.1,
        "valid_purls": 0.5

    }

and further down you'll also see the weighted scoring

score = (score_dep_tree * weights['has_dependency_tree']) + (score_valid_bom * weights['valid_bom']) + (
        score_operating_systems * weights['has_operating_system']) + (score_licenses * weights['valid_licenses']) + (score_purls * weights['valid_purls'])

In simple words, the scoring looks at:

  1. whether the SBOM has a dependency tree
  2. the BOM file is of a valid CycloneDX schema
  3. Contains an operating system
  4. Has SPDX-valid license ids
  5. Has purls that conform with the spec.

Changing the weights

Feel free to change the weights array according to your needs. Ensure that all weights add up to 1 ;)

Contact

Feel free to contact me for any queries under vincent.groves@leanix.net or just open a issue or PR. Will try to get back to you in a timely manner.