robinbryce
commented
2 years ago I was thinking about making a contribution here. If I added support for this how likely is it to be accepted ?
Open luhring opened 2 years ago
robinbryce
commented
2 years ago I was thinking about making a contribution here. If I added support for this how likely is it to be accepted ?
luhring
commented
2 years ago @robinbryce We'd love a contribution! A contribution is very likely to be accepted, once it gets through a code review and the CI checks pass. Check out our CONTRIBUTING.md for our expectations for code contributions. And let us know if you have any questions about anything, we'd be happy to guide you along the process.
robinbryce
commented
2 years ago excellent thanks!
hectorj2f
commented
2 years ago Yes, I started to investigate which properties are missing for cyclonedx:
I realized the supplier property is rarely fulfilled by Spdx nor CycloneDx. I also opened a PR to add dependencies to syft sbom when generated.
samj1912
commented
2 years ago Some of this for cyclonedx may be solved by #710
hectorj2f
commented
2 years ago Thanks @samj1912
spiffcs
commented
2 years ago Closed by mistake when merging a PR that had this issue attached. There are other follow up PR that will help us hit this goal.
wagoodman
commented
1 year ago A note for when this is picked up, take a look at NTIA compliance checker and sbom-scorecards for possible automated CI validations once this work is completed.
riteshnoronha
commented
1 year ago We work a lot with sboms and created a tool to help check the quality of sboms we recv, we have opensourced it here sbomqs. NTIA minimum elements is our baseline acceptance current, so we added a mode to this tool, to quickly check if sboms are NTIA compliant sbomqs score --dirpath syft-bench --category NTIA-minimum-elements. Using syft version 0.73.1, we ran a small benchmark using alpine:latest in spdx & cdx, the results are here. Hope this helps
SBOM Quality Score:7.1 components:17 syft-bench/syft-alpine.cdx.json
+-----------------------+--------------------------------+-----------+--------------------------------+
| CATEGORY | FEATURE | SCORE | DESC |
+-----------------------+--------------------------------+-----------+--------------------------------+
| NTIA-minimum-elements | Components have names | 10.0/10.0 | 17/17 have names |
+ +--------------------------------+-----------+--------------------------------+
| | Components have uniq ids | 10.0/10.0 | 17/17 have unique ID's |
+ +--------------------------------+-----------+--------------------------------+
| | Components have supplier names | 0.0/10.0 | 0/17 have supplier names |
+ +--------------------------------+-----------+--------------------------------+
| | Doc has authors | 10.0/10.0 | doc has 1 authors |
+ +--------------------------------+-----------+--------------------------------+
| | Components have versions | 10.0/10.0 | 17/17 have versions |
+ +--------------------------------+-----------+--------------------------------+
| | Doc has relationships | 0.0/10.0 | doc has 0 relationships |
+ +--------------------------------+-----------+--------------------------------+
| | Doc has creation timestamp | 10.0/10.0 | doc has creation timestamp |
| | | | 2023-02-24T14:34:00-08:00 |
+-----------------------+--------------------------------+-----------+--------------------------------+
SBOM Quality Score:7.1 components:17 syft-bench/syft-alpine.cdx.xml
+-----------------------+--------------------------------+-----------+--------------------------------+
| CATEGORY | FEATURE | SCORE | DESC |
+-----------------------+--------------------------------+-----------+--------------------------------+
| NTIA-minimum-elements | Doc has authors | 10.0/10.0 | doc has 1 authors |
+ +--------------------------------+-----------+--------------------------------+
| | Components have versions | 10.0/10.0 | 17/17 have versions |
+ +--------------------------------+-----------+--------------------------------+
| | Doc has relationships | 0.0/10.0 | doc has 0 relationships |
+ +--------------------------------+-----------+--------------------------------+
| | Doc has creation timestamp | 10.0/10.0 | doc has creation timestamp |
| | | | 2023-02-24T14:34:00-08:00 |
+ +--------------------------------+-----------+--------------------------------+
| | Components have uniq ids | 10.0/10.0 | 17/17 have unique ID's |
+ +--------------------------------+-----------+--------------------------------+
| | Components have supplier names | 0.0/10.0 | 0/17 have supplier names |
+ +--------------------------------+-----------+--------------------------------+
| | Components have names | 10.0/10.0 | 17/17 have names |
+-----------------------+--------------------------------+-----------+--------------------------------+
SBOM Quality Score:8.6 components:16 syft-bench/syft-alpine.spdx.json
+-----------------------+--------------------------------+-----------+--------------------------------+
| CATEGORY | FEATURE | SCORE | DESC |
+-----------------------+--------------------------------+-----------+--------------------------------+
| NTIA-minimum-elements | Doc has authors | 10.0/10.0 | doc has 2 authors |
+ +--------------------------------+-----------+--------------------------------+
| | Components have versions | 10.0/10.0 | 16/16 have versions |
+ +--------------------------------+-----------+--------------------------------+
| | Doc has relationships | 10.0/10.0 | doc has 100 relationships |
+ +--------------------------------+-----------+--------------------------------+
| | Doc has creation timestamp | 10.0/10.0 | doc has creation timestamp |
| | | | 2023-02-24T22:34:01Z |
+ +--------------------------------+-----------+--------------------------------+
| | Components have supplier names | 0.0/10.0 | 0/16 have supplier names |
+ +--------------------------------+-----------+--------------------------------+
| | Components have names | 10.0/10.0 | 16/16 have names |
+ +--------------------------------+-----------+--------------------------------+
| | Components have uniq ids | 10.0/10.0 | 16/16 have unique ID's |
+-----------------------+--------------------------------+-----------+--------------------------------+
SBOM Quality Score:8.6 components:16 syft-bench/syft-alpine.spdx.tv
+-----------------------+--------------------------------+-----------+--------------------------------+
| CATEGORY | FEATURE | SCORE | DESC |
+-----------------------+--------------------------------+-----------+--------------------------------+
| NTIA-minimum-elements | Doc has authors | 10.0/10.0 | doc has 2 authors |
+ +--------------------------------+-----------+--------------------------------+
| | Components have versions | 10.0/10.0 | 16/16 have versions |
+ +--------------------------------+-----------+--------------------------------+
| | Doc has relationships | 10.0/10.0 | doc has 100 relationships |
+ +--------------------------------+-----------+--------------------------------+
| | Doc has creation timestamp | 10.0/10.0 | doc has creation timestamp |
| | | | 2023-02-24T22:34:01Z |
+ +--------------------------------+-----------+--------------------------------+
| | Components have supplier names | 0.0/10.0 | 0/16 have supplier names |
+ +--------------------------------+-----------+--------------------------------+
| | Components have names | 10.0/10.0 | 16/16 have names |
+ +--------------------------------+-----------+--------------------------------+
| | Components have uniq ids | 10.0/10.0 | 16/16 have unique ID's |
+-----------------------+--------------------------------+-----------+--------------------------------+Something under the category of "known unknowns" which the NTIA minimum requirements encourages, today we don't catalog the contents of archives. It would be ideal to try to capture the list of archives as known unknowns.
In the known unknowns section it would be great to be able to capture the full partial type in that section (say a full package with a missing version) so that we can report out more than just "this file was partially parsed to a package:
wagoodman
commented
9 months ago We should be checking that all package names are valid relative to the NTIA requirements regardless of the cataloger conclusions (we should do this late in processing and warn/drop accordingly). Relevant issue https://github.com/anchore/syft/issues/2038
wagoodman
commented
9 months ago From a conversation from gardening: we could have an NTIA compliant mode that will full in unknown names and versions with a known "VALUE_MUST_BE_PROVIDED_MANUALLY" field (or similar) and outputs a warning / footer in the output to stderr that lets the user know that user input is required to complete the SBOM. This way there is still a package in the SBOM (instead of it being dropped for NTIA requirements) but lets the user fill out the fields that are left.
wagoodman
commented
3 weeks ago Summarizing an offline conversation (and some of the above threads): This work probably translates into doing at least the following tasks:
Getting a proposal for the configuration I think will drive a lot of this.
What would you like to be added:
Ensure that all SBOMs produced by Syft cover the NTIA's Minimum Elements For a Software Bill of Materials (SBOM).
Direct link to PDF: https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf
Why is this needed:
This set of minimum elements is an official recommendation to organizations producing SBOMs for the software they produce and consume. We should be sure that, when the need for this support is present, Syft is a great choice for users to produce complaint SBOMs.
Additional context:
It may be that Syft already does provide support for this. The goal of this ticket is to ensure that Syft does support these minimum elements, and once confirmed, advertise this information about Syft publicly, including on Syft's README.
Related Work