SBOM quality score - Quality metrics for your sboms
sbomqs
: Quality metrics for SBOMssbomqs
is your primary tool to assess the quality of sbom's. The higher the score the more consumable your sboms are.
brew tap interlynk-io/interlynk
brew install sbomqs
other installation options.
sbomqs score <sbom-file>
sbomqs compliance -c samples/photon.spdx.json
sbomqs share <sbom-file>
Example:
sbomqs share cdxgen-9.5.1_alpine-latest.cdx.json
5.9 cdxgen-9.5.1_alpine-latest.cdx.json
ShareLink: https://sbombenchmark.dev/user/score?id=a97af1bf-4c9d-4a55-8524-3d4bcee0b9a4
sbomqs dtrackScore -u <dt-host-url> -k <dt-api-key> <project-uuid>
Example:
sbomqs dtrackScore -u "http://localhost:8080/" -k "IIcfPA9qc1F4IkQFa2FqQJoTwcfQI" bbd4434d-8062-4e59-a323-3b416701c948
INTERLYNK_DISABLE_VERSION_CHECK=true ./build/sbomqs score ~/wrk/sbom*/samples/*.json -b
docker run -v <path of sbom file or folder>:/app/inputfile ghcr.io/interlynk-io/sbomqs score /app/inputfile
Example
docker run -v $(pwd)/samples/sbomqs-cdx-cgomod.json:/app/inputfile ghcr.io/interlynk-io/sbomqs score -j /app/inputfile
Unable to find image 'ghcr.io/interlynk-io/sbomqs:latest' locally
latest: Pulling from interlynk-io/sbomqs
708d61464c72: Already exists
Digest: sha256:d47e3e936b3ef61c01fcf5cfd00d053c06bf1ded8c9ac3c0d148412126da3b3f
Status: Downloaded newer image for ghcr.io/interlynk-io/sbomqs:latest
{
"run_id": "d1ccac27-323e-478a-afd2-7d33501997ea",
"timestamp": "2023-05-23T06:11:25Z",
"creation_info": {
"name": "sbomqs",
"version": "",
"scoring_engine_version": "5"
},
A high quality SBOM should allow for managements of assets, license, vulnerabilities, Intellectual Property, configuration management and incident response.
A quality SBOM is one that is accurate, complete, and up-to-date. There are many factors that go into constructing a high quality sbom
The main goals of the utility are
SBOM can be generated using both commercial and open-source tooling. As consumers of SBOM we wanted a fast & easy way to assess the quality of an SBOM. An SBOM with a low score, needs to be re-evaluated or rejected.
sbomqs
makes getting a quick assessment effortless. Just point.
sbomqs score samples/julia.spdx.tv -b
6.9 samples/julia.spdx.json
NTIA recommends the following standards for SBOM's
sbomqs
supports SPDX and CycloneDX formats. Support for SWID is incoming.
In addition to supporting the SBOM formats, we support various file formats
sbomqs
scoring output can be customized by category or by feature. We understand everyone needs for scoring would not match ours, we have added customizability around which categories or features should or should not be included for scoring.
We have categorized our current features into the following categories
We allow running any single feature to be tested against an SBOM.
sbomqs generate features
, this generated a features.yaml filesbomqs score ~/data/app.spdx.json --configpath features.yaml
use the yaml file to apply the changes.For the list of features currently supported, visit features.md.
sbomqs
provides its scoring output in basic and detailed forms.
Basic output is great for a quick check of the quality of our sboms. Once you get a good sense of how the tool works, this could also be your primary way of consuming data from this tool.
6.0 samples/blogifier-dotnet-SBOM.json
6.9 samples/julia.spdx.json
7.6 samples/sbom.spdx.yaml
Detailed output is presented in tabular and json formats currently
Tabular format: this format has been inspired by oss scorecard project.
SBOM Quality Score: 6.0 samples/blogifier-dotnet-SBOM.json
+-----------------------+--------------------------------+-----------+--------------------------------+
| CATEGORY | FEATURE | SCORE | DESC |
+-----------------------+--------------------------------+-----------+--------------------------------+
| NTIA-minimum-elements | Doc has creation timestamp | 10.0/10.0 | doc has creation timestamp |
| | | | 2022-11-04T16:51:54Z |
+ +--------------------------------+-----------+--------------------------------+
| | Components have supplier names | 0.0/10.0 | 0/1649 have supplier names |
+ +--------------------------------+-----------+--------------------------------+
| | Components have names | 10.0/10.0 | 1649/1649 have names |
+ +--------------------------------+-----------+--------------------------------+
| | Doc has relationships | 0.0/10.0 | doc has 0 relationships |
+ +--------------------------------+-----------+--------------------------------+
...
...
json format
{
"run_id": "fc86a94d-7490-4f20-a202-b04bb3cdfde9",
"timestamp": "2023-02-17T14:58:55Z",
"creation_info": {
"name": "sbomqs",
"version": "v0.0.6-3-g248d059",
"scoring_engine_version": "1"
},
"files": [
{
"file_name": "samples/blogifier-dotnet-SBOM.json",
"spec": "cyclonedx",
"spec_version": "1.4",
"file_format": "json",
"avg_score": 6,
"num_components" : 3,
"scores": [
{
"category": "Structural",
"feature": "Spec File Format",
"score": 10,
"max_score": 10,
"description": "provided sbom should be in supported file format for spec: json and version: json,xml"
}
]
}
]
}
sbomqs can now produce compliance reports for industry standard requirements. Currently we support BSI CRA TR-03183 v1.1. More details about the CRA requirements are avaliable here.
Example of a BSI CRA report
{
"report_name": "Cyber Resilience Requirements for Manufacturers and Products Report",
"subtitle": "Part 2: Software Bill of Materials (SBOM)",
"revision": "TR-03183-2 (1.1)",
"run": {
"id": "375c288b-0928-4066-9e3a-b8655ac29f91",
"generated_at": "2024-04-18T03:22:56Z",
"file_name": "samples/photon.spdx.json"
},
"tool": {
"name": "sbomqs",
"version": "v0.0.30-23-g344a584-dirty",
"vendor": "Interlynk (https://interlynk.io)"
},
"summary": {
"total_score": 4.20,
"max_score": 10,
"required_elements_score": 5.91,
"optional_elements_score": 2.50
},
"sections": [
{
"section_title": "SBOM formats",
"section_id": "4",
"section_data_field": "specification",
"required": true,
"element_id": "sbom",
"element_result": "spdx",
"score": 10
},
...
https://github.com/interlynk-io/sbomqs/releases
brew tap interlynk-io/interlynk
brew install sbomqs
go install github.com/interlynk-io/sbomqs@latest
This approach involves cloning the repo and building it.
git clone [email protected]:interlynk-io/sbomqs.git
cd
into sbomqs
folder./build/sbomqs version
We look forward to your contributions, below are a few guidelines on how to submit them
git checkout -b feature/new-feature
)git commit -am "awesome new feature"
)git push origin feature/new-feature
)We appreciate all feedback. The best ways to get in touch with us:
If you like this project, please support us by starring it.