Bug: Creator tool and version could be present in services in the tools section for CDX

interlynk-io / sbomqs

SBOM quality score - Quality metrics for your sboms

Apache License 2.0

150 stars 20 forks source link

Bug: Creator tool and version could be present in services in the tools section for CDX #264

Closed riteshnoronha closed 1 week ago

riteshnoronha commented 4 weeks ago

Its possible the creator and tool version could be present in the tools->services section for sboms created via api services.

sbom_with_creator_and_version rule should be modified to handle this. This is an CDX only thing.

viveksahu26 commented 2 weeks ago

Hey @riteshnoronha , few question related to above issue, as I don't have clear understanding of it:

Firstly, are you talking about tools present under cdxDoc struct ?
Second thing, which rule(sbom_with_creator_and_version) are you talking about ? I am aware of rules or checks that were used for compliance report such as CRA. Or this is something different which I am unaware of ?

riteshnoronha commented 2 weeks ago

We have found that sboms generated via api's in CDX 1.5 and above set the tool used to generate it in the metadata->Tools->Services section. In our current logic we only check Metadata->Tools->Tools and Metatdata->Tools->Components. Yes it impacts sbom_with_creator_and_version rule, so if we parse it correctly and save it in cdxDoc it should just work.