search

interlynk-io / sbomqs

SBOM quality score - Quality metrics for your sboms
Apache License 2.0
158 stars 20 forks source link

Supplier count bug #281

Closed briancaine closed 2 months ago

briancaine commented 2 months ago

I noticed a bug with the comp_with_supplier rule. I scored CycloneDX SBOMs and couldn't get any of them to recognize any suppliers.

Example SBOM:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
  "serialNumber": "urn:uuid:d7700b83-651a-458a-9764-1998b615a8d5",
  "version": 1,
  "metadata": {
    "component": {
      "bom-ref": "foobar",
      "type": "library",
      "name": "some other library here",
      "version": "v0.111.0",
      "supplier": { "name": "foobar supplier" }
    }
  },
  "components": [
    {
      "bom-ref": "zipzap",
      "type": "library",
      "name": "some library here",
      "version": "v0.9.0",
      "scope": "required",
      "supplier": { "name": "zipzap supplier" }
    }
  ]
}

When I score this, I get:

$ sbomqs score /tmp/sample.cdx.json | grep comp_with_supplier
|                       | comp_with_supplier             | 0.0/10.0  | 0/2 have supplier names        |

This PR should fix this.

riteshnoronha commented 2 months ago

@briancaine this is approved, however i cannot merge it as its not signed. Please do sign it https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits

briancaine commented 2 months ago

Yep, just saw that. Will do.

briancaine commented 2 months ago

@riteshnoronha There we go, should be signed now.

riteshnoronha commented 2 months ago

BOOM.. nice one. Ok have merged, we are moving our release cycle to bi-weekly. However if you need this earlier let me know.

riteshnoronha commented 1 month ago

@briancaine v0.1.6 has been released.