search

cnti-testcatalog / testsuite

šŸ“žšŸ“±ā˜ŽļøšŸ“”šŸŒ Cloud Native Telecom Initiative (CNTI) Test Catalog is a tool to check for and provide feedback on the use of K8s + cloud native best practices in networking applications and platforms
https://wiki.lfnetworking.org/display/LN/Test+Catalog
Apache License 2.0
174 stars 71 forks source link

[Workload] SECURITY test: sbom_available #1905

Open wvwatson opened 7 months ago

wvwatson commented 7 months ago

Title: [Workload] SECURITY test: sbom_available

Is your workload test idea related to a problem? Please describe.

Describe the solution you'd like

Type of test (static or runtime)

Documentation tasks:

QA tasks

Dev Review:

Peer review:

wvwatson commented 7 months ago

@CortezFrazierJr

wvwatson commented 6 months ago

To verify that an SBOM (Software Bill of Materials) is syntactically correct, you can use open-source projects that focus on SBOM validation and compliance. While the provided sources do not directly mention specific tools for SBOM syntax verification, they do highlight various tools and frameworks related to SBOMs. Here are some open-source projects and tools that can be used for SBOM validation, including syntax verification:

  1. SPDX Tools: The Software Package Data Exchange (SPDX) is a standard for communicating the components, licenses, and copyrights associated with software packages. Tools like spdx-tools can be used to validate SPDX documents, which are commonly used for SBOMs. SPDX provides a specification and tools for generating, validating, and analyzing SBOMs in various formats [1].

  2. CycloneDX Tools: CycloneDX is another SBOM format that provides a comprehensive specification for SBOMs. The cyclonedx-maven-plugin and other related tools can be used to generate and validate CycloneDX SBOMs. These tools ensure that the SBOMs adhere to the CycloneDX specification, which includes syntax verification [1].

  3. Syft: Syft is a tool developed by Anchore that can generate SBOMs from container images. While its primary function is to generate SBOMs, it can also be used to validate the syntax of SBOMs generated in formats like SPDX or CycloneDX by ensuring that the generated SBOMs conform to the expected standards [1].

  4. Tern: Tern is a tool for generating SBOMs for containers. It can be used to verify the syntax of SBOMs by ensuring that the generated SBOMs are correctly formatted and adhere to the standards of the SBOM format being used [1].

  5. SBOM Benchmark: While not a tool for direct syntax verification, the SBOM Benchmark mentioned in the sources can be used to evaluate SBOMs for quality, compliance, and errors. This can indirectly help in verifying the syntax correctness of SBOMs by identifying any issues that might affect their compliance [1].

These tools and projects can be used to verify the syntactical correctness of SBOMs by ensuring they adhere to the standards and specifications of the SBOM format being used. It's important to choose the right tool based on the SBOM format you are working with (e.g., SPDX, CycloneDX) to ensure accurate validation.

Citations: [1] https://github.com/awesomeSBOM/awesome-sbom [2] https://fossa.com/blog/software-bill-of-materials-formats-use-cases-tools/ [3] https://github.com/CycloneDX/sbom-utility [4] https://security.googleblog.com/2022/06/sbom-in-action-finding-vulnerabilities.html [5] https://codesecure.com/learn/sbom-use-cases-and-why-binary-composition-analysis-matters/ [6] https://www.ntia.gov/sites/default/files/publications/howto_guide_for_sbom_generation_v1_0.pdf [7] https://www.wiz.io/academy/top-open-source-sbom-tools [8] https://media.defense.gov/2023/Dec/11/2003355557/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN%20RECOMMENDED%20PRACTICES%20FOR%20MANAGING%20OPEN%20SOURCE%20SOFTWARE%20AND%20SOFTWARE%20BILL%20OF%20MATERIALS.PDF [9] https://anchore.com/sbom/the-software-bill-of-materials-sbom-through-an-open-source-lens/ [10] https://medium.com/@interlynkblog/complying-with-nsa-sbom-recommendations-3274c0f67cab