Skip to content

vncgrvs/sbom-tester

BranchesTags

Repository files navigation

SBOM-Tester

Project Status: WIP – Initial development is in progress, but there has not yet been a stable, usable release suitable for the public.

This a simple script that takes a CycloneDX SBOM in JSON format and analyses it against certain quality factors. Namely,

  1. Correctness and presence of PURLs.
  2. Correctness and presence of licenses per purl. Note: it correlates against SPDX-license ids.
  3. Whether the SBOM entails the dependency tree
  4. The presence of an operating system
  5. Whether the SBOM contains information on the tool that was used to create it

Usage

  1. Install required libraries
pip install -r requirements.txt

Note: create a virtual env first

python -m env venv

source env/bin/activate
  1. Run CLI and generate a report you may pass a directory with many SBOM files or a single file.
python main.py test/ --report
  1. Example report
[
  {
    "filename": "test/cyclonedx-bom.json",
    "purls": 378,
    "percentage_valid_purl": 1.0,
    "licenses": {
      "valid_licenses": 372,
      "percentage_valid_license_id": 0.98
    },
    "is_schema_compliant": true,
    "operating_system": {
      "has_os": false,
      "os_found": null
    },
    "sbom_tool": {
      "has_tool": true,
      "tools": []
    },
    "has_dependency_tree": true,
    "quality_score": 0.895
  }
]

Note the ./test folder contains CycloneDX SBOMs created for the vsm-webshop project with the CycloneDX python plugin, Syft, Trivy and ORT. Feel free to play with those.

Scoring

You'll find that in analyser.py the function grade_sbom contains the weights for the above the factors:

 weights = {
        "has_dependency_tree": 0.2,
        "valid_bom": 0.1,
        "has_operating_system": 0.1,
        "valid_licenses": 0.1,
        "valid_purls": 0.5

    }

and further down you'll also see the weighted scoring

score = (score_dep_tree * weights['has_dependency_tree']) + (score_valid_bom * weights['valid_bom']) + (
        score_operating_systems * weights['has_operating_system']) + (score_licenses * weights['valid_licenses']) + (score_purls * weights['valid_purls'])

In simple words, the scoring looks at:

  1. whether the SBOM has a dependency tree
  2. the BOM file is of a valid CycloneDX schema
  3. Contains an operating system
  4. Has SPDX-valid license ids
  5. Has purls that conform with the spec.

Changing the weights

Feel free to change the weights array according to your needs. Ensure that all weights add up to 1 ;)

Contact

Feel free to contact me for any queries under vincent.groves@leanix.net or just open a issue or PR. Will try to get back to you in a timely manner.

About

A python script to test the quality of a SBOM.

Topics

sbom

Resources

Readme

License

Apache-2.0 license
Activity

Stars

3 stars

Watchers

5 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages