This PR is to extend support for compliance sub-command for OpenChain Telco SBOMs standards.
OpenChain Telco has various attribute for checks as shown here. For more refer.
NOTE: Scoring for externalReference is different from normal scoring: Basically openchain telco looks or checks for referenceType i.e. purl must be present. Under externalRefs there are list of reference with 3 field category type, package manager and locator. There is bit a different way of scoring it. Suppose - out of 5 list of references, only 2 reference contains purl, then score would be like: (2/5)*10 = 4.
This PR will contain feature for Open Telco SBOM compliance:
sbomqs compliance <sbom_file> --oct
will look like: https://gist.github.com/viveksahu26/07a0c568beb9b31dbb813d3785507acaDescription of this PR:
compliance
sub-command for OpenChain Telco SBOMs standards.referenceType
i.e.purl
must be present. UnderexternalRefs
there are list of reference with 3 fieldcategory type
,package manager
andlocator
. There is bit a different way of scoring it. Suppose - out of 5 list of references, only 2 reference containspurl
, then score would be like: (2/5)*10 = 4.