search

CycloneDX / cyclonedx-dotnet

Creates CycloneDX Software Bill of Materials (SBOM) from .NET Projects
https://cyclonedx.org/
Apache License 2.0
183 stars 88 forks source link

Missing components supplier #770

Closed shaeussler closed 11 months ago

shaeussler commented 1 year ago

Running the tool https://github.com/interlynk-io/sbomqs on the cyclonedx-dotnet sbom docker run -v $(pwd)/bom.json:/app/inputfile ghcr.io/interlynk-io/sbomqs score -j /app/inputfile > score.json In the category "NTIA-minimum-elements" for the feature "comp_with_supplier" is the score 0.

https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf Supplier refers to the originator or manufacturer of the software component

score.json:

{
  "run_id": "1e63a62f-11ad-4c49-b65f-a256f08880ba",
  "timestamp": "2023-10-30T07:20:26Z",
  "creation_info": {
    "name": "sbomqs",
    "version": "v0.0.24",
    "scoring_engine_version": "5"
  },
  "files": [
    {
      "file_name": "/app/inputfile",
      "spec": "cyclonedx",
      "spec_version": "1.4",
      "file_format": "json",
      "avg_score": 8.06181818181818,
      "num_components": 125,
      "creation_time": "2023-10-01T18:32:38Z",
      "gen_tool_name": "CycloneDX module for .NET",
      "gen_tool_version": "2.9.0.0",
      "scores": [
        {
          "category": "Structural",
          "feature": "sbom_spec",
          "score": 10,
          "max_score": 10,
          "description": "provided sbom is in a supported sbom format of spdx,cyclonedx",
          "ignored": false
        },
        {
          "category": "Structural",
          "feature": "sbom_spec_version",
          "score": 10,
          "max_score": 10,
          "description": "provided sbom should be in supported spec version for spec:1.4 and versions: 1.0,1.1,1.2,1.3,1.4",
          "ignored": false
        },
        {
          "category": "Structural",
          "feature": "sbom_spec_file_format",
          "score": 10,
          "max_score": 10,
          "description": "provided sbom should be in supported file format for spec: json and version: json,xml",
          "ignored": false
        },
        {
          "category": "Structural",
          "feature": "sbom_parsable",
          "score": 10,
          "max_score": 10,
          "description": "provided sbom is parsable",
          "ignored": false
        },
        {
          "category": "NTIA-minimum-elements",
          "feature": "comp_with_supplier",
          "score": 0,
          "max_score": 10,
          "description": "0/125 have supplier names",
          "ignored": false
        },
        {
          "category": "NTIA-minimum-elements",
          "feature": "comp_with_name",
          "score": 10,
          "max_score": 10,
          "description": "125/125 have names",
          "ignored": false
        },
        {
          "category": "NTIA-minimum-elements",
          "feature": "comp_with_version",
          "score": 10,
          "max_score": 10,
          "description": "125/125 have versions",
          "ignored": false
        },
        {
          "category": "NTIA-minimum-elements",
          "feature": "comp_with_uniq_ids",
          "score": 10,
          "max_score": 10,
          "description": "125/125 have unique ID's",
          "ignored": false
        },
        {
          "category": "NTIA-minimum-elements",
          "feature": "sbom_dependencies",
          "score": 10,
          "max_score": 10,
          "description": "doc has 481 relationships ",
          "ignored": false
        },
        {
          "category": "NTIA-minimum-elements",
          "feature": "sbom_authors",
          "score": 10,
          "max_score": 10,
          "description": "doc has 1 authors",
          "ignored": false
        },
        {
          "category": "NTIA-minimum-elements",
          "feature": "sbom_creation_timestamp",
          "score": 10,
          "max_score": 10,
          "description": "doc has creation timestamp 2023-10-01T18:32:38Z",
          "ignored": false
        },
        {
          "category": "Semantic",
          "feature": "sbom_required_fields",
          "score": 10,
          "max_score": 10,
          "description": "Doc Fields:true Pkg Fields:true",
          "ignored": false
        },
        {
          "category": "Semantic",
          "feature": "comp_with_licenses",
          "score": 3.76,
          "max_score": 10,
          "description": "47/125 have licenses",
          "ignored": false
        },
        {
          "category": "Semantic",
          "feature": "comp_with_checksums",
          "score": 9.92,
          "max_score": 10,
          "description": "124/125 have checksums",
          "ignored": false
        },
        {
          "category": "Quality",
          "feature": "comp_valid_licenses",
          "score": 3.76,
          "max_score": 10,
          "description": "47/125 components with valid license ",
          "ignored": false
        },
        {
          "category": "Quality",
          "feature": "comp_with_primary_purpose",
          "score": 10,
          "max_score": 10,
          "description": "125/125 components have primary purpose specified",
          "ignored": false
        },
        {
          "category": "Quality",
          "feature": "comp_with_deprecated_licenses",
          "score": 10,
          "max_score": 10,
          "description": "0/125 components have deprecated licenses",
          "ignored": false
        },
        {
          "category": "Quality",
          "feature": "comp_with_restrictive_licenses",
          "score": 10,
          "max_score": 10,
          "description": "0/125 components have restricted licenses",
          "ignored": false
        },
        {
          "category": "Quality",
          "feature": "comp_with_any_vuln_lookup_id",
          "score": 9.92,
          "max_score": 10,
          "description": "124/125 components have any lookup id",
          "ignored": false
        },
        {
          "category": "Quality",
          "feature": "comp_with_multi_vuln_lookup_id",
          "score": 0,
          "max_score": 10,
          "description": "0/125 components have multiple lookup id",
          "ignored": false
        },
        {
          "category": "Quality",
          "feature": "sbom_with_creator_and_version",
          "score": 10,
          "max_score": 10,
          "description": "1/1 tools have creator and version",
          "ignored": false
        },
        {
          "category": "Sharing",
          "feature": "sbom_sharable",
          "score": 0,
          "max_score": 10,
          "description": "doc has a sharable license free 0 :: of 0",
          "ignored": false
        }
      ]
    }
  ]
}
mtsfoni commented 1 year ago

Supplier refers to the originator or manufacturer of the software component

That's basically what we put as author. I think, NuGet doesn't differentiate between those two.

The standard says: Author: The person(s) or organization(s) that authored the component

Supplier: The organization that supplied the component. The supplier may often be the manufacturer, but may also be a distributor or repackager.

After quickly skimming the NTIA doc, it appears that a component author is not a thing there. So possible solutions could be to simply copy the Author to the Supplier field or make a switch to fill Supplier instead of Author.

I will later check what the TR-03183 says about it. I think, it would be preferable if we can comply with all regulations without the need of switches.

mtsfoni commented 11 months ago

The definition of the author in the CycloneDX standard mostly fits the definition of a supplier in the NTIA document.

Thus, the CycloneDX dotnet tool does supply the requested value. It's just called "author" here. This is in compliance with the cycloneDX standard.

shaeussler commented 11 months ago

@CodeTigerCloud Thanks for the help and the answer