search

CISA-SBOM-Community / SBOM-Generation

Reference GitHub Workflows for SBOM generation from the CISA SBOM Generation Reference Implementation Tiger Team
Apache License 2.0
10 stars 2 forks source link

[Discussion] How should we evaluate "completeness"? #19

Open idunbarh opened 1 month ago

idunbarh commented 1 month ago

We need a automated method for evaluation "completeness" of SBOMs which can be incorporated into a pipeline.

The following tools have quality checks:

Ideally we be able to determine if we're meeting all minimum requirements of Framing Software Component Transparency Third Edition (DRAFT) but tooling probably doesn't support these checks.

Another option of completeness is the BOM Maturity Model which is being incorporated into sbomqs.

Are there other ways we could measure completeness of SBOMs today in a pipeline?

surendrapathak commented 1 month ago

sbomqs is working on supporting the draft 4 here: https://github.com/interlynk-io/sbomqs/issues/313

idunbarh commented 5 days ago

Lets proceed with sbomqs similar to the phase 1 - docker implementation created by @vpetersson .

  Validate:
    needs: Assemble
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Download SBOMs
        uses: actions/download-artifact@v4

      - name: Install sbomqs
        run: |
          curl -L -o /tmp/sbomqs \
            "https://github.com/interlynk-io/sbomqs/releases/download/v${SBOMQS_VERSION}/sbomqs-linux-amd64"
          chmod +x /tmp/sbomqs

      - name: "Display SBOM quality score through sbomqs"
        run: |
          echo \`\`\` >> ${GITHUB_STEP_SUMMARY}
          for SBOM in $(find . -iname *.json); do
            /tmp/sbomqs score "$SBOM" >> ${GITHUB_STEP_SUMMARY}
          done
          echo \`\`\` >> ${GITHUB_STEP_SUMMARY}