viveksahu26
commented
3 months ago This table will illustrate the summary of this draft in table format:
| Attribute | Requirement Level | Minimum Requirement | Recommended Practice | Aspirational Goal | CycloneDX | SPDX | sbomqs |
|---|---|---|---|---|---|---|---|
| Author Name | Must | List all SBOM creators. Author may different from Supplier Name. | Include tools/versions used in SBOM creation. | ✔️ (metadata->tools, metadata->authors), metadata->manufacturer | ✔️ (CreationInfo->Creator ) | ✔️ (NTIA category - sbom_authors) |
|
| Timestamp | Must | Date and time SBOM was created (e.g., 2024-05-23T13:51:37Z). | ✔️ (metadata->timestamp ) | ✔️ (CreationInfo->created) | ✔️ (NTIA Category - sbom_creation_timestamp) |
||
| Type | Optional | Provide context for how and why the SBOM was created. | ✔️ (metadata->component->type) | ✔️ (package->primaryPackagePurpose) | ✔️ (Quality Category - comp_with_primary_purpose) |
||
| Primary Component | Must | Identifies the root component of dependencies. | ✔️ (metadata->component) | ✔️ (Relationship->SPDXRef-DOCUMENT) | ✔️ (Quality Category - sbom_with_primary_component) |
||
| Component Name | Must | Public name of component by supplier/creator. | ✔️ (component->name ) | ✔️ (package->name ) | ✔️ (NTIA Category - comp_with_name) |
||
| Version | Must | Specifies software iteration (e.g., 1.0.0). |
✔️ (component->version ) | ✔️ (package->versionInfo) | ✔️ (NTIA Category - comp_with_version) |
||
| Supplier Name | Must | Entity that created the component. | ✔️ (component->manufacturer, component->authors, and maybe component->supplier, ) | ✔️ (package->supplier, package->originator) | ✔️ (NTIA Category - comp_with_supplier) |
||
| Unique Identifier | Must | Unique identifier (e.g., CPE, PURL, SWID, SWHID, omniborID, UUID). | ✔️ (component->cpe, component->purl, component->omniborId, component->swhid, component->swid ) | ✔️ (package->externalRef ) | ✔️ (NTIA Category - comp_with_uniq_ids ) |
||
| Cryptographic Hash | Must | Hash for the compiled binary (e.g., SHA-256). | Hash for the Primary Component using secure algorithms. | ✔️ (component->hashes ) | ✔️ (package->checksum ) | ✔️ (Semantic Category comp_with_checksums ) |
|
| Relationship | Must | Declare relationships between the primary component and direct dependencies. --> composition |
Declare relationships for all components listed. --> dependencies |
List all dependencies, included or not. | ✔️ (dependencies, compositions | ✔️ (relationships) | ✔️ (sbomqs support in CRA and OCT compliance ) |
| Relationship Assertions | Optional | Non-authoritative claims about components. | Make non-authoritative claims as needed. | ✔️ ( dependencies, compositions | ✔️ (relationships) ) | ✔️ (sbomqs support in CRA and OCT compliance ) | |
| License | Optional | Legal terms for software use, modification, and distribution. | Detailed license info for many components. | Detailed license info for all components with attestation. | ✔️ (component->licenses ) | ✔️ (Package->licenseConcluded, Package->licenseDeclared ) | ✔️ ( Semantic Category - comp_with_licenses) |
| Copyright Holder | Must | Copyright info for Primary Component. | Copyright info for other components where available. | Ensure copyright info for all components. | ✔️ (component->copyright ) | ✔️ (Package->copyrightText) | ✔️ (supported in OCT Compliance report) |
CISA' Framing Document Third Edition is under community review and suggests SBOM field's described as
sbomqs should aim to
The result should be accessible as JSON to meet requirements discussed in https://github.com/CISA-SBOM-Community/SBOM-Generation/issues/19