Implement Support for SBOM Quality Score Tool (sbomqs)

[msymons]

Is your feature request related to a problem? Please describe.

A DT server with several hundred projects will often have a real variance in BOM quality. This might be caused by a number of things:

• Different ecosystems means different tools generating the BOM... Gradle, Maven, etc.
• Out-of-date version of tools generating the BOM. eg, two Maven projects both reporting BOM version is 1.4 in DT but one is generated using an older version of the cyclonedx-maven-plugin and thus may be lower quality
• Up-to-date plugin generates BOM... but is incorrectly configured for (say) schemaVersion. Thus, one might get two projects with same out-of-date schemaVersion but one generated with latest plugin has higher quality

Describe the solution you'd like

Incorporate the sbomqs tool into the DT Jenkins plugin. This will allow for several pieces of functionality:

• Calculation of BOM Quality Score
• Option to fail a build (or mark it unstable) based on BOM quality (score)
• Creation of quality score labels in Dependency-Track
• Reporting of scoring output as a report in Jenkins so that one can see WHY a score is low (especially if it is causing the build to fail)

Additional context

Here is a screenshot showing labels in DT that have been created by sbomqs

The tool will take care of removing old tags... important if (say) an upgrade of the tool that generates the BOM improves the score.

[riteshnoronha]

Thanks @msymons. I'm the creator of the tool, if you do decide to integrate this, please do reach out to me if u run into issues or concerns.

[sephiroth-j]

This function goes beyond what this plugin is intended for. It is not a generic SBOM plugin and does not call an external executable, for whatever reason.

You can do this yourself in your Jenkins pipeline.

1. call sbomqs and capture the output: def out = sh(script: 'sbomqs score <sbom-file>', returnStdout: true).trim()
2. extract the score from the captured output and store it in a variable: def score = Float.parseFloat(out.split(' ')[0])
3. let the build fail if the score is to low: if (score < 9.0) { error 'sbom quality to low' }
4. use the feature of setting tags to set the sbomqs-tag when uploading the sbom file: dependencyTrackPublisher artifact: '<sbom-file>', ..., projectProperties: [tags: ["sbomqs=${score}"]]