This PR is to extend support for compliance sub-command for OpenChain Telco SBOMs standards.
OpenChain Telco has various attribute for checks as shown here. For more refer.
NOTE: Scoring for externalReference is different from normal scoring: Basically openchain telco looks or checks for referenceType i.e. purl must be present. Under externalRefs there are list of reference with 3 field category type, package manager and locator. There is bit a different way of scoring it. Suppose - out of 5 list of references, only 2 reference contains purl, then score would be like: (2/5)*10 = 4.
This PR will contain feature for Open Telco SBOM compliance:
sbomqs compliance <sbom_file> --octwill look like: https://gist.github.com/viveksahu26/07a0c568beb9b31dbb813d3785507acaDescription of this PR:
compliancesub-command for OpenChain Telco SBOMs standards.referenceTypei.e.purlmust be present. UnderexternalRefsthere are list of reference with 3 fieldcategory type,package managerandlocator. There is bit a different way of scoring it. Suppose - out of 5 list of references, only 2 reference containspurl, then score would be like: (2/5)*10 = 4.