search

interlynk-io / sbomex

Find & pull public SBOMs
https://sbombenchmark.dev/
Other
16 stars 2 forks source link

Compliance rating (BSI TR-03183) using CycloneDX 1.6 #55

Open LungTim opened 2 months ago

LungTim commented 2 months ago

I noticed three things: 1) The required "Source Hash" is "undefined" for CycloneDX SBOMs. I'd suggest that adding "hashes" to a detected "externalReferences" such as: "externalReferences": [ { "type": "vcs", "url": "https://URL/artifact", "hashes": [ { "alg": "SHA-256", "content": "123aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaddd" } ] } 2) The usage of "compositions" (see https://cyclonedx.org/guides/OWASP_CycloneDX-Authoritative-Guide-to-SBOM-en.pdf page 60) causes an exception as soon as "assemblies" are used, e.g.: "compositions": [ { "aggregate": "complete", "assemblies": [ "com:product:system:subsystem:component:componentname" ] } ] 3) The BSI document states in 6.1.5 that the dependencies must cover all components. As every component must again trace all dependencies, the final component(s) would require an empty "dependsOn" and this should be valid. But even if this chain of dependencies is included, the compliance reporter returns "5.0 unattested-has-relationships" overall and a "0.0 no-relationships" for each empty "dependsOn". How could this be resolved as full compliance if there cannot be any more dependencies?

riteshnoronha commented 2 months ago

@LungTim thanks for your suggestion are you talking about sbomqs or sbomasm ??

viveksahu26 commented 2 months ago

Hey @LungTim , a good catch as you mentioned on point 3. I have fixed this one in this PR. And the components only includes dependencies of type "depends on". Here is how it looks like: Apart from that it would be great if you could provide your manifest for testing to make sure it works correctly.

BSI TR-03183-2 v1.1 Compliance Report 
Compliance score by Interlynk Score:4.8 RequiredScore:5.4 OptionalScore:4.2 for /home/linuzz/sbom/sbomqs-cyclonedx-gomod.json
* indicates optional fields
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                ELEMENTID                 | SECTION |           DATAFIELD            |                                                      ELEMENT RESULT                                                      | SCORE |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| github.com/anchore/go-struct-converter   | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | github.com/anchore/go-struct-converter                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v0.0.0-20230627203149-c72ef8859ca9                                                                                       |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | no-relationships                                                                                                         |   0.0 |
|                                          |         | components                     |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | e823a95d6a476e158cd7081c40df794ddb26acb4db6bc2907cf8089815f39230                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                | https://github.com/anchore/go-struct-converter                                                                           |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/github.com/anchore/go-struct-converter@v0.0.0-20230627203149-c72ef8859ca9?type=module&goos=linux&goarch=amd64 |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| golang.org/x/sync                        | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | golang.org/x/sync                                                                                                        |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v0.7.0                                                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | no-relationships                                                                                                         |   0.0 |
|                                          |         | components                     |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | 62c2267d20683fd40f60bd31c8a24fab481c689746deb227a2ac5359b7d0bbd3                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/golang.org/x/sync@v0.7.0?type=module&goos=linux&goarch=amd64                                                  |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| github.com/common-nighthawk/go-figure    | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | github.com/common-nighthawk/go-figure                                                                                    |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v0.0.0-20210622060536-734e95fb86be                                                                                       |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | no-relationships                                                                                                         |   0.0 |
|                                          |         | components                     |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | 27904bda4b2402557d724804b0d417b1c8c868b88e62267be5de1ef7813a75c4                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                | https://github.com/common-nighthawk/go-figure                                                                            |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/github.com/common-nighthawk/go-figure@v0.0.0-20210622060536-734e95fb86be?type=module&goos=linux&goarch=amd64  |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| sigs.k8s.io/yaml                         | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | sigs.k8s.io/yaml                                                                                                         |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v1.4.0                                                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | no-relationships                                                                                                         |   0.0 |
|                                          |         | components                     |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | 324d7009cda0cbf1744c71f44c0a75418c89373466d8a08bcb7a390125d52391                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/sigs.k8s.io/yaml@v1.4.0?type=module&goos=linux&goarch=amd64                                                   |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| github.com/spdx/tools-golang             | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | github.com/spdx/tools-golang                                                                                             |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v0.5.5                                                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | github.com/anchore/go-struct-converter,                                                                                  |   5.0 |
|                                          |         | components                     | github.com/spdx/gordf, sigs.k8s.io/yaml                                                                                  |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | eb573428b7c070da808e583a50d31d930a4c7ab9e1c37cd54700d9db1f573a69                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                | https://github.com/spdx/tools-golang                                                                                     |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/github.com/spdx/tools-golang@v0.5.5?type=module&goos=linux&goarch=amd64                                       |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| golang.org/x/tools                       | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | golang.org/x/tools                                                                                                       |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v0.22.0                                                                                                                  |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | golang.org/x/mod,                                                                                                        |   5.0 |
|                                          |         | components                     | golang.org/x/sync,                                                                                                       |       |
|                                          |         |                                | golang.org/x/sys                                                                                                         |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | 82a4862d9aaff8023d9484339e22749d90d11b91813ec4a2f8344d1d6373eb20                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/golang.org/x/tools@v0.22.0?type=module&goos=linux&goarch=amd64                                                |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| github.com/google/uuid                   | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | github.com/google/uuid                                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v1.6.0                                                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | no-relationships                                                                                                         |   0.0 |
|                                          |         | components                     |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | 348bda24330eb231c0f27d630212d2833ac0cf2d4782bfa136b6f9edefbde05d                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                | https://github.com/google/uuid                                                                                           |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/github.com/google/uuid@v1.6.0?type=module&goos=linux&goarch=amd64                                             |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| github.com/mattn/go-runewidth            | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | github.com/mattn/go-runewidth                                                                                            |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v0.0.15                                                                                                                  |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | github.com/rivo/uniseg                                                                                                   |   5.0 |
|                                          |         | components                     |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | 50d023c1b53d979e130372b3bea2c6c705a31e63200545610624e37a56608375                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                | https://github.com/mattn/go-runewidth                                                                                    |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/github.com/mattn/go-runewidth@v0.0.15?type=module&goos=linux&goarch=amd64                                     |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| github.com/spf13/pflag                   | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | github.com/spf13/pflag                                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v1.0.5                                                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | no-relationships                                                                                                         |   0.0 |
|                                          |         | components                     |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | 8b2f951543823f56bef3216da3f76b836089e6ed3246807b7d9c370cabff2570                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                | https://github.com/spf13/pflag                                                                                           |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/github.com/spf13/pflag@v1.0.5?type=module&goos=linux&goarch=amd64                                             |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| sbom                                     |       4 | specification                  | cyclonedx                                                                                                                |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          |       4 | specification version          |                                                                                                                      1.5 |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          |     5.1 | build process                  |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          |     5.1 | depth                          | doc has 15 dependencies                                                                                                  |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.1   | creator of sbom                |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.1   | timestamp                      | 2024-09-01T11:12:11+05:30                                                                                                |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.1*  | SBOM-URI                       | urn:uuid:36744bcf-0c34-40dc-b0d6-438952e8b643/1                                                                          |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | components                     | present                                                                                                                  |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| github.com/package-url/packageurl-go     | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | github.com/package-url/packageurl-go                                                                                     |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v0.1.3                                                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | no-relationships                                                                                                         |   0.0 |
|                                          |         | components                     |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | e23b8c103de11e2cf4b1eb7756adca790ef9283d5abed8685cbb661372343cbb                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                | https://github.com/package-url/packageurl-go                                                                             |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/github.com/package-url/packageurl-go@v0.1.3?type=module&goos=linux&goarch=amd64                               |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| github.com/inconshreveable/mousetrap     | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | github.com/inconshreveable/mousetrap                                                                                     |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v1.1.0                                                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | no-relationships                                                                                                         |   0.0 |
|                                          |         | components                     |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | c0dfb1e0d546a4cb0eec4ad49ff994237bc4a04e89b75dd7dacd1bab0a7db5cf                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                | https://github.com/inconshreveable/mousetrap                                                                             |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/github.com/inconshreveable/mousetrap@v1.1.0?type=module&goos=linux&goarch=amd64                               |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| github.com/Masterminds/semver/v3         | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | github.com/Masterminds/semver/v3                                                                                         |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v3.2.1                                                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | no-relationships                                                                                                         |   0.0 |
|                                          |         | components                     |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | 44df70ebeed0a0c789546c9f99b720b36f01afc72f9a7b9c1179d8d2b6175a0d                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                | https://github.com/Masterminds/semver                                                                                    |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/github.com/Masterminds/semver/v3@v3.2.1?type=module&goos=linux&goarch=amd64                                   |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| github.com/rivo/uniseg                   | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | github.com/rivo/uniseg                                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v0.4.7                                                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | no-relationships                                                                                                         |   0.0 |
|                                          |         | components                     |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | 59476f916f2e121ad87cb0b8673769236cedc4fd48e7cdbee3d39ce4cabae154                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                | https://github.com/rivo/uniseg                                                                                           |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/github.com/rivo/uniseg@v0.4.7?type=module&goos=linux&goarch=amd64                                             |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| github.com/cloudflare/circl              | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | github.com/cloudflare/circl                                                                                              |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v1.3.9                                                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | golang.org/x/crypto,                                                                                                     |   5.0 |
|                                          |         | components                     | golang.org/x/sys                                                                                                         |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | 405ae580561fd90a62f1b4a954f2b51c1bd6a71d7abffd53662bf2a3ba46b811                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                | https://github.com/cloudflare/circl                                                                                      |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/github.com/cloudflare/circl@v1.3.9?type=module&goos=linux&goarch=amd64                                        |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| sigs.k8s.io/release-utils                | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | sigs.k8s.io/release-utils                                                                                                |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v0.8.3                                                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | github.com/Masterminds/semver/v3,                                                                                        |   5.0 |
|                                          |         | components                     | github.com/common-nighthawk/go-figure,                                                                                   |       |
|                                          |         |                                | github.com/inconshreveable/mousetrap,                                                                                    |       |
|                                          |         |                                | github.com/maxbrunsfeld/counterfeiter/v6,                                                                                |       |
|                                          |         |                                | github.com/spf13/cobra,                                                                                                  |       |
|                                          |         |                                | github.com/spf13/pflag, golang.org/x/mod,                                                                                |       |
|                                          |         |                                | golang.org/x/sync, golang.org/x/sys,                                                                                     |       |
|                                          |         |                                | golang.org/x/text, golang.org/x/tools                                                                                    |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | 2ad3ad038a839b3272790db3903b05548db9f8d562c26b3fa3978bd8d7ed15d0                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/sigs.k8s.io/release-utils@v0.8.3?type=module&goos=linux&goarch=amd64                                          |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| golang.org/x/oauth2                      | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | golang.org/x/oauth2                                                                                                      |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v0.21.0                                                                                                                  |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | no-relationships                                                                                                         |   0.0 |
|                                          |         | components                     |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | b6c8a633be70d6d17fbb0b39adb787cc85b112a12531e86773e896efddf3b19b                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/golang.org/x/oauth2@v0.21.0?type=module&goos=linux&goarch=amd64                                               |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| github.com/google/go-querystring         | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | github.com/google/go-querystring                                                                                         |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v1.1.0                                                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | no-relationships                                                                                                         |   0.0 |
|                                          |         | components                     |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | 0270aba21ddfbf864181521fd48c2da2f8236b0fc688a268f0cf320ff7e1c89f                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                | https://github.com/google/go-querystring                                                                                 |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/github.com/google/go-querystring@v1.1.0?type=module&goos=linux&goarch=amd64                                   |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| github.com/spdx/gordf                    | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | github.com/spdx/gordf                                                                                                    |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v0.0.0-20221230105357-b735bd5aac89                                                                                       |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | no-relationships                                                                                                         |   0.0 |
|                                          |         | components                     |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | 740ae433067b31fd89894f0e7dd9aa22ff106874f8a3289f2c87b5521b05d526                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                | https://github.com/spdx/gordf                                                                                            |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/github.com/spdx/gordf@v0.0.0-20221230105357-b735bd5aac89?type=module&goos=linux&goarch=amd64                  |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| gopkg.in/yaml.v2                         | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | gopkg.in/yaml.v2                                                                                                         |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v2.4.0                                                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | no-relationships                                                                                                         |   0.0 |
|                                          |         | components                     |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | 0fcc60c04098ec262fc7e6369f8b01cfddc99fd251bf1762cb2a3c0937ee29a6                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                | https://github.com/go-yaml/yaml                                                                                          |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/gopkg.in/yaml.v2@v2.4.0?type=module&goos=linux&goarch=amd64                                                   |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| github.com/CycloneDX/cyclonedx-go        | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | github.com/CycloneDX/cyclonedx-go                                                                                        |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v0.9.0                                                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | no-relationships                                                                                                         |   0.0 |
|                                          |         | components                     |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | 8a76a27fba83f1b8afcb1a7b5cb831518b4e5d6b437b3efe8fbdaa2933104dbf                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                | https://github.com/CycloneDX/cyclonedx-go                                                                                |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/github.com/CycloneDX/cyclonedx-go@v0.9.0?type=module&goos=linux&goarch=amd64                                  |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| go.uber.org/multierr                     | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | go.uber.org/multierr                                                                                                     |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v1.11.0                                                                                                                  |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | no-relationships                                                                                                         |   0.0 |
|                                          |         | components                     |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | 6e55d72644b14927c1541942efaa71a9e3be2cddda0df2d0a3edf4f7126cb4ed                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/go.uber.org/multierr@v1.11.0?type=module&goos=linux&goarch=amd64                                              |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| github.com/maxbrunsfeld/counterfeiter/v6 | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | github.com/maxbrunsfeld/counterfeiter/v6                                                                                 |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v6.8.1                                                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | golang.org/x/mod,                                                                                                        |   5.0 |
|                                          |         | components                     | golang.org/x/text,                                                                                                       |       |
|                                          |         |                                | golang.org/x/tools                                                                                                       |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | 362726aeec647aa1e30efd3749f4b1aa668bba2b1d76e75f3f7879c1d5c56e13                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                | https://github.com/maxbrunsfeld/counterfeiter                                                                            |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/github.com/maxbrunsfeld/counterfeiter/v6@v6.8.1?type=module&goos=linux&goarch=amd64                           |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| golang.org/x/crypto                      | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | golang.org/x/crypto                                                                                                      |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v0.24.0                                                                                                                  |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | golang.org/x/sys,                                                                                                        |   5.0 |
|                                          |         | components                     | golang.org/x/text                                                                                                        |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | 9a797c0ccd28e75dd7f1f748926c8513fe614d8c5bc183a30d2ffeacaeaaa512                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/golang.org/x/crypto@v0.24.0?type=module&goos=linux&goarch=amd64                                               |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| github.com/interlynk-io/sbomqs           | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | github.com/interlynk-io/sbomqs                                                                                           |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v1.0.1-0.20240806165718-6099e923b043                                                                                     |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | github.com/CycloneDX/cyclonedx-go,                                                                                       |   5.0 |
|                                          |         | components                     | github.com/DependencyTrack/client-go,                                                                                    |       |
|                                          |         |                                | github.com/Masterminds/semver/v3,                                                                                        |       |
|                                          |         |                                | github.com/github/go-spdx/v2,                                                                                            |       |
|                                          |         |                                | github.com/google/go-github/v52,                                                                                         |       |
|                                          |         |                                | github.com/google/uuid,                                                                                                  |       |
|                                          |         |                                | github.com/maxbrunsfeld/counterfeiter/v6,                                                                                |       |
|                                          |         |                                | github.com/olekukonko/tablewriter,                                                                                       |       |
|                                          |         |                                | github.com/package-url/packageurl-go,                                                                                    |       |
|                                          |         |                                | github.com/samber/lo,                                                                                                    |       |
|                                          |         |                                | github.com/spdx/tools-golang,                                                                                            |       |
|                                          |         |                                | github.com/spf13/cobra,                                                                                                  |       |
|                                          |         |                                | go.uber.org/zap, gopkg.in/yaml.v2,                                                                                       |       |
|                                          |         |                                | sigs.k8s.io/release-utils                                                                                                |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   |                                                                                                                          |   0.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                | https://github.com/interlynk-io/sbomqs                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/github.com/interlynk-io/sbomqs@v1.0.1-0.20240806165718-6099e923b043?type=module&goos=linux&goarch=amd64       |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| golang.org/x/text                        | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | golang.org/x/text                                                                                                        |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v0.16.0                                                                                                                  |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | golang.org/x/mod,                                                                                                        |   5.0 |
|                                          |         | components                     | golang.org/x/sync,                                                                                                       |       |
|                                          |         |                                | golang.org/x/tools                                                                                                       |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | 6bde04c6711736d13060b1894885319d6a31a11cff65c0ac57add13aea482e1e                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/golang.org/x/text@v0.16.0?type=module&goos=linux&goarch=amd64                                                 |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| github.com/spf13/cobra                   | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | github.com/spf13/cobra                                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v1.8.1                                                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | github.com/inconshreveable/mousetrap,                                                                                    |   5.0 |
|                                          |         | components                     | github.com/spf13/pflag                                                                                                   |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | 7b9fefc4a77fad9b1f4893145f56a0b637930dffaabf5fc974117c820e64f593                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                | https://github.com/spf13/cobra                                                                                           |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/github.com/spf13/cobra@v1.8.1?type=module&goos=linux&goarch=amd64                                             |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| github.com/samber/lo                     | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | github.com/samber/lo                                                                                                     |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v1.46.0                                                                                                                  |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | golang.org/x/text                                                                                                        |   5.0 |
|                                          |         | components                     |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | c3c1bea1a08f833d4fa02273b6aca608568ac17b7ee5c0979f9d6e3f113115f4                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                | https://github.com/samber/lo                                                                                             |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/github.com/samber/lo@v1.46.0?type=module&goos=linux&goarch=amd64                                              |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| github.com/ProtonMail/go-crypto          | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | github.com/ProtonMail/go-crypto                                                                                          |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v1.0.0                                                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | github.com/cloudflare/circl,                                                                                             |   5.0 |
|                                          |         | components                     | golang.org/x/crypto                                                                                                      |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | 2d1baf2138d0597f9621fafddf46071b61cd7e3475b8e7f27f9bc4d240b653bf                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                | https://github.com/ProtonMail/go-crypto                                                                                  |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/github.com/ProtonMail/go-crypto@v1.0.0?type=module&goos=linux&goarch=amd64                                    |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| github.com/google/go-github/v52          | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | github.com/google/go-github/v52                                                                                          |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v52.0.0                                                                                                                  |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | github.com/ProtonMail/go-crypto,                                                                                         |   5.0 |
|                                          |         | components                     | github.com/cloudflare/circl,                                                                                             |       |
|                                          |         |                                | github.com/google/go-querystring,                                                                                        |       |
|                                          |         |                                | golang.org/x/crypto,                                                                                                     |       |
|                                          |         |                                | golang.org/x/oauth2,                                                                                                     |       |
|                                          |         |                                | golang.org/x/sys                                                                                                         |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | bb2196398fa3310f06546497f1d912c02ce57a153759f77143b1b078efc93fb3                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                | https://github.com/google/go-github                                                                                      |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/github.com/google/go-github/v52@v52.0.0?type=module&goos=linux&goarch=amd64                                   |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| github.com/olekukonko/tablewriter        | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | github.com/olekukonko/tablewriter                                                                                        |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v0.0.5                                                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | github.com/mattn/go-runewidth                                                                                            |   5.0 |
|                                          |         | components                     |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | 3f619af370f7e308b5a3d27a5a1d6646ea9de2617fc7f960052ecdec06c385e7                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                | https://github.com/olekukonko/tablewriter                                                                                |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/github.com/olekukonko/tablewriter@v0.0.5?type=module&goos=linux&goarch=amd64                                  |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| github.com/DependencyTrack/client-go     | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | github.com/DependencyTrack/client-go                                                                                     |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v0.13.0                                                                                                                  |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | github.com/google/uuid                                                                                                   |   5.0 |
|                                          |         | components                     |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | c364efb9dac16e006d4b6a0c6e2b1fa3d02fe2b2674b583d56c742a59e8f53ff                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                | https://github.com/DependencyTrack/client-go                                                                             |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/github.com/DependencyTrack/client-go@v0.13.0?type=module&goos=linux&goarch=amd64                              |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| go.uber.org/zap                          | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | go.uber.org/zap                                                                                                          |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v1.27.0                                                                                                                  |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | go.uber.org/multierr                                                                                                     |   5.0 |
|                                          |         | components                     |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | 689321606adde504a69692ccaf631fb512a5eedf09f0f4d93c0ef7dae77f5d1f                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/go.uber.org/zap@v1.27.0?type=module&goos=linux&goarch=amd64                                                   |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| golang.org/x/mod                         | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | golang.org/x/mod                                                                                                         |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v0.18.0                                                                                                                  |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | golang.org/x/tools                                                                                                       |   5.0 |
|                                          |         | components                     |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | e7ef6549b1333d2756907df6bd83c1c04a57f0ac036cce7651df71054bcd95bd                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/golang.org/x/mod@v0.18.0?type=module&goos=linux&goarch=amd64                                                  |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| golang.org/x/sys                         | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | golang.org/x/sys                                                                                                         |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v0.21.0                                                                                                                  |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | no-relationships                                                                                                         |   0.0 |
|                                          |         | components                     |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | ac5fa9633dc300649003102ed426c2edc6ad660e1e6c2e1421e2212b1059bf0b                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/golang.org/x/sys@v0.21.0?type=module&goos=linux&goarch=amd64                                                  |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
| github.com/github/go-spdx/v2             | 5.2.2   | component creator              |                                                                                                                          |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component name                 | github.com/github/go-spdx/v2                                                                                             |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | component version              | v2.3.1                                                                                                                   |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | License                        | not-compliant                                                                                                            |   0.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Dependencies on other          | no-relationships                                                                                                         |   0.0 |
|                                          |         | components                     |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.2.2   | Hash value of the executable   | 7df1ae1d36c7b87cd63ede779fc7fda3c7251aeb6e2cf39ba37cc1e09023c54f                                                         |  10.0 |
|                                          |         | component                      |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Source code URI                | https://github.com/github/go-spdx                                                                                        |  10.0 |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | URI of the executable form of  |                                                                                                                          |   0.0 |
|                                          |         | the component                  |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Hash value of the source code  |                                                                                                                          |   0.0 |
|                                          |         | of the component               |                                                                                                                          |       |
+                                          +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
|                                          | 5.3.2*  | Other unique identifiers       | pkg:golang/github.com/github/go-spdx/v2@v2.3.1?type=module&goos=linux&goarch=amd64                                       |  10.0 |
+------------------------------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+
LungTim commented 1 month ago

Hi @viveksahu26 thx for your reply. I did some research, tried a few tools for further processing, had a few calls etc. Long story short, as there is only the (very comprehensive) OWASP directives (https://cyclonedx.org/guides/OWASP_CycloneDX-Authoritative-Guide-to-SBOM-en.pdf) and no explicit "BSI" examples, the structure should be as in the example I provide in this post. It is not a real world example and I created it just as an example, but it is based on real world stuff.

The thing is, the general infos can be created easily (i.e. the metadata in cyclonedx). But as soon as it gets to the components it becomes tricky. The required linking (binary and source references incl. hashes) is straight forward BUT it could be solved in a different way. For example: the hashes can be linked using the "externalReferences" (which have to be included anyways, as chapter 5.3.2 demands it. BUT the hashes of the the component can be put as "hashes" entry outside of "externalReferences" and the sources can be linked as encapsulated component: { "type": "application", "bom-ref": "com:iris:cra:mightyproduct:os:component:acl", "supplier": { "url": [ "http://acl.bestbits.at/" ] }, "name": "acl", "version": "2.2.51", "scope": "required", "purl": "pkg:rpm/centos//acl@2.2.51-14.el7?arch=x86_64&distro=centos-7.6.1810", "cpe": "cpe:/a:acl_project:acl:2.2.51", "licenses": [ { "license": { "id": "GPL-2.0+" } } ], "externalReferences": [ { "type": "vcs", "url": "https://svn.tz.bentoosiris.corp/svn/bsdk/branches/tolkRiguSad/RPM_Gen/CentOS/Version_7.6.1810/src.rpm/acl-2.2.51-14.el7.src.rpm", "hashes": [ { "alg": "SHA-256", "content": "8e6792bf24feb8fb5d6717178be9f8e40194d2ec7cea55497964449dbbec157c" }, { "alg": "SHA-384", "content": "ae99c915e22b8ceac72c2d37f0643cc9af790e9900d00925baabbf6f395f6a0b3c1b2bb1221eac52bcafeb2266897d0f" } ] }, { "type": "distribution", "url": "https://svn.tz.bentoosiris.corp/svn/bsdk/branches/tolkRiguSad/SystemSetUp/Repository/Repo/Packages/acl-2.2.51-14.el7.x86_64.rpm", "hashes": [ { "alg": "SHA-256", "content": "53edbe2fce2c6626fe08a3debdb46b91107dbce49d0dce7d5c29de3296ffc4cb" }, { "alg": "SHA-384", "content": "2bb6d8cf5cc51d992f5992af030da80ab166ebaeffec2237bdbdeea52c35ed183a575845fbb848093b76a5f074c5679a" } ] } ] }

versus

{ "type": "application", "bom-ref": "com:iris:cra:mightyproduct:os:component:acl", "supplier": { "url": [ "http://acl.bestbits.at/" ] }, "name": "acl", "version": "2.2.51", "scope": "required", "hashes": [ { "alg": "SHA-256", "content": "53edbe2fce2c6626fe08a3debdb46b91107dbce49d0dce7d5c29de3296ffc4cb" }, { "alg": "SHA-384", "content": "2bb6d8cf5cc51d992f5992af030da80ab166ebaeffec2237bdbdeea52c35ed183a575845fbb848093b76a5f074c5679a" } ], "purl": "pkg:rpm/centos//acl@2.2.51-14.el7?arch=x86_64&distro=centos-7.6.1810", "cpe": "cpe:/a:acl_project:acl:2.2.51", "licenses": [ { "license": { "id": "GPL-2.0+" } } ], "components": [ { "type": "data", "hashes": [ { "alg": "SHA-256", "content": "53edbe2fce2c6626fe08a3debdb46b91107dbce49d0dce7d5c29de3296ffc4cb" }, { "alg": "SHA-384", "content": "2bb6d8cf5cc51d992f5992af030da80ab166ebaeffec2237bdbdeea52c35ed183a575845fbb848093b76a5f074c5679a" } ], "data": [ "type": "source-code" ] } ], "externalReferences": [ { "type": "vcs", "url": "https://svn.tz.bentoosiris.corp/svn/bsdk/branches/tolkRiguSad/RPM_Gen/CentOS/Version_7.6.1810/src.rpm/acl-2.2.51-14.el7.src.rpm" }, { "type": "distribution", "url": "https://svn.tz.bentoosiris.corp/svn/bsdk/branches/tolkRiguSad/SystemSetUp/Repository/Repo/Packages/acl-2.2.51-14.el7.x86_64.rpm" } ] }

should have the same meaning / compliance rating.

As stated in my first post, the next issue is the dependencies. The BSI TR describes this as "Full SBOM" (including all transitive dependencies). The OWASP states that the dependsOn is then empty (which makes completely sense, when i start writing code, the source code file is the root document without any further dependencies. By time, the deps COULD become more when i start linking libraries. But once i start linking, this deps graph also has a root... so at any point there will be an empty dependsOn and this would still be legal. The cyclonedx format would also offer to use "compositions" where the completeness can be flagged. If this is a good alternative is hard to tell (as no concrete examples for the TR requirements are given). But using this method crashes the "sbomqs" app.

In the end, the format is very complex and offers even more ways to fulfill the requirements imho, but having at least one established way is helpful. sbom.json

viveksahu26 commented 1 month ago

@LungTim What I have understand from this: You are still getting "unattested-has-relationships" for the primary component "centos", inspite of having 3 dependencies with it, "acl", "glibc-common", "openssh-server". That' what is your issue, right ?

As stated in my first post, the next issue is the dependencies. The BSI TR describes this as "Full SBOM" (including all transitive dependencies). The OWASP states that the dependsOn is then empty (which makes completely sense, when i start writing code, the source code file is the root document without any further dependencies. By time, the deps COULD become more when i start linking libraries. But once i start linking, this deps graph also has a root... so at any point there will be an empty dependsOn and this would still be legal. The cyclonedx format would also offer to use "compositions" where the completeness can be flagged. If this is a good alternative is hard to tell (as no concrete examples for the TR requirements are given). But using this method crashes the "sbomqs" app.

LungTim commented 1 month ago

@viveksahu26 yes, i get "unattested-has-relationships" is issue No 1. I see in your pull request the changes, so i guess i do something wrong (I'm not a developer, so i will wait for a new release from the sbomqs and verify then). The second issue is that the source code hashes are not "accepted". So i receive a `+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------------------+-------+ | | 5.3.2* | Hash value of the source code | | 0.0 | | | | of the component | | |

Which is irritating but in the source code and in the docu of sbomqs it reads that source code hash is undefined for cyclonedx format.

viveksahu26 commented 1 month ago

So, I got your point regarding relationship one. You will see those changes in next release, but before that I would like to share what you will you see. So,

@riteshnoronha , what's your thought's on this. And this will be implemented in all compliance- bsi, oct, ntia, fsct. THe only diff will be in scoring as fsct has different score on the basis of maturity level.

viveksahu26 commented 1 month ago

@LungTim And regarding hash one, the 5.3.2(Hash value of the source code of the component ), it only care about hash of the component, not of the any external references. So, if a component has a hash don't include it under component.externalReference.hashes, instead include it under component.hashes in SBOM.