A tool to check the conformance of SBOMs to specifications. A checker for the NTIA Minimum Elements Specification, SPDX v2.3 requirements, and the Google style guide is provided with the library.
Note
This library only supports SPDX v2.3 and JSON encoded SBOMs.
sbom-conformance is a library and a CLI.
go install github.com/google/sbom-conformance@latest
sbom-conformance -specs eo -sbom <path to sbom>
Run sbom-conformance -h to see the supported options.
The BaseChecker does the analysis of SBOMs. The following code creates a base checker, runs it, and generates the results.
import (
"github.com/google/sbom-conformance/pkg/checkers/base"
)
checker := base.NewChecker(base.WithGoogleChecker(),
base.WithEOChecker(),
base.WithSPDXChecker())
checker.SetSBOM(sbom)
checker.RunChecks()
results := checker.Results()You can choose any of the supported specs.
Text Summary:
results.TextSummaryStructured summary of the SBOM and the conformance checks:
results.SummaryResults of the top-level conformance checks:
results.TopLevelChecksThere are two ways to get the results of the package-level conformance checks.
Get conformance checks per-package:
results.PkgResultsGet the conformance checks directly, with statistics on the number of passed packages.
results.PackageLevelChecksname: EO
A PDF of the specification can be found in https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf. The checker in this library verifies the minimum required "Data Fields", but not the minimum required "Automation Support" or the minimum required "Practices and Processes".
This checker considers NOASSERTION to be invalid for the Version, Supplier, and Relationships checks.
This refers to the "Author of SBOM Data" data field in the NTIA specification. It is a top-level check that passes if the Creator field contains at least one entry.
This refers to the "Timestamp" data field in the NTIA specification. It is a top-level check that passes if the Created field is present and non-empty.
This refers to the "Dependency Relationship" data field in the NTIA specification. It is a top-level check that passes if, for every package, there exists a relationship where the package is either spdxElementId or relatedSpdxElement and where the other side of the relationship is not NOASSERTION or the package itself.
Note that the relationshipType is not considered. In the case that a package has no relationships, NONE can be used for spdxElementId or for relatedSpdxElement, and the check will pass for the package.
This is one interpretation of the NTIA specification. It differs from the SPDX intepretation (defined here), possibly because this library's intepretation does not factor in documents such as Framing Software Component Transparency: Establishing a Common Software Bill of Material (SBOM).
This refers to the "Component Name" data field in the NTIA specification. It is a package-level check that passes if the Name field is present and non-empty.
This refers to the "Version of the Component" data field in the NTIA specification. It is a package-level check that passes if all of the following are true for the Version field:
- it is present
- it is not empty
- it is not
NOASSERTION
This refers to the "Supplier Name" data field in the NTIA specification. It is a package-level check that passes if all of the following are true for the Package Supplier field:
- it is present
- it is not empty
- it is not
NOASSERTION
This refers to the "Other Unique Identifiers" data field in the NTIA specification. It is a package-level check that passes if the External References field is present and non-empty.
name: SPDX
The SPDX 2.3 specification (https://spdx.github.io/spdx-spec/v2.3/) requires that some fields are present and/or meet certain syntactic constraints.
This is a top-level check that passes if the Document Name field is present and not empty.
This is a top-level check that passes if the Document Namespace field is present and is a RFC 3986 URL with a scheme and without # characters.
This is a top-level check that passes if the Document SPDX Identifier field is SPDXRef-DOCUMENT.
This is a top-level check that passes if the Creator contains one or more entries and each entry is formatted correctly. The last parenthesis group in the creator is interpreted as the email.
This is a top-level check that passes if the Created field is present and conforms to YYYY-MM-DDThh:mm:ssZ.
This is a top-level check that passes if, for each entry in the Other Licensing Information section, all of the following are true:
- the License Identifier field is present and conforms to
LicenseRef-<idstring>whereidstringonly contains letters, numbers,., and/or- - the License Identifier field is unique among all entries
- the Extracted Text Field is present and not empty
The licenses are not checked against the SPDX license list.
This is a top-level check that passes if the Data License field is CC0-1.0.
This is a package-level check that passes if the Name field is present and non-empty.
This is a package-level check that passes if the Package SPDX Identifier field is present and conforms to SPDXRef-<idstring> where idstring only contains letters, numbers, ., and/or -.
This is a top-level check that passes if the Package SPDX Identifier field is unique among all packages.
This is a package-level check that passes if the Package Download Location field is present and not empty.
This is a package-level check that passes if either of the following are true:
- the Package Verification Code field is missing
- the Package Verification Code field is present and the Files Analyzed field is
true
name: google
The Google SBOM Style Guide is similar to the SPDX requirements with a few additional restrictions for SBOMs authored by Google.
This is a top-level check that passes if the Document Name field is present and not empty.
This is a top-level check that passes if the Document Namespace field is present and conforms to https://spdx.google/<uuid>.
This is a top-level check that passes if the Data License field is CC0-1.0.
This is a top-level check that passes if the Document SPDX Identifier field is SPDXRef-DOCUMENT.
This is a top-level check that passes if the Creator contains an "Organization: Google LLC entry, contains a Tool entry, and does not contain a Person entry.
This is a top-level check that passes if the Created field is present and conforms to YYYY-MM-DDThh:mm:ssZ.
This is a top-level check that passes if, for each entry in the Other Licensing Information section, all of the following are true:
- the License Identifier field is present and conforms to
LicenseRef-<idstring>whereidstringonly contains letters, numbers,., and/or- - the License Identifier field is unique among all entries
- the Extracted Text Field is present and not empty
This is a package-level check that passes if the Name field is present and non-empty.
This is a package-level check that passes if the Package SPDX Identifier field is present and conforms to SPDXRef-<idstring> where idstring only contains letters, numbers, ., and/or -.
This is a package-level check that passes if the Package Supplier field is one of NOASSERTION, Organization: ..., and Person: ....
This is a package-level check that passes if either the Package Concluded License field or the Package License Info From Files field is present and contains a reference to custom license text (or more than one, for the latter field). References to licenses in other SPDX documents are not allowed.
This is not an officially supported Google product. This project is not eligible for the Google Open Source Software Vulnerability Rewards Program.