I am not sure what fields comp_with_uniq_id is scoring #221

aidankeefe2022 · 2024-04-09T17:45:50Z

aidankeefe2022
Apr 9, 2024

I was removing parts of SBOMs and running them back through SBOMqs and comparing scores the comp_with_uniq_id never changed while all the others did for SPDX. I removed externalRefs and also removed SPDXID but the score did not change. I tried reading the score code but it seemed to support my idea that SPDXID and CPEs (stored in externalRefs?) were what the targets where. Where am I going wrong here?

riteshnoronha · 2024-04-09T22:05:55Z

riteshnoronha
Apr 9, 2024
Maintainer

A unique id for SPDX is the SPDXID of a component, along with the namespace of the document.

sbomqs/pkg/scorer/ntia.go

Line 102 in f95627d

return strings.Join([]string{d.Spec().Namespace(), c.ID()}, "")

➜  samples git:(main) sbomqs score -f comp_with_uniq_ids sbomqs-spdx-sbtool.json
featureScores()
SBOM Quality Score:10.0 components:70   sbomqs-spdx-sbtool.json
+-----------------------+--------------------+-----------+------------------------+
|       CATEGORY        |      FEATURE       |   SCORE   |          DESC          |
+-----------------------+--------------------+-----------+------------------------+
| NTIA-minimum-elements | comp_with_uniq_ids | 10.0/10.0 | 70/70 have unique ID's |
+-----------------------+--------------------+-----------+------------------------+

If you remove SPDXID of packages the count should drop. Below i removed SPDXID
from 3 components, you can see the unique ID dropped.

➜  samples git:(main) ✗ sbomqs score -f comp_with_uniq_ids sbomqs-spdx-sbtool.json
featureScores()
SBOM Quality Score:9.7  components:70   sbomqs-spdx-sbtool.json
+-----------------------+--------------------+----------+------------------------+
|       CATEGORY        |      FEATURE       |  SCORE   |          DESC          |
+-----------------------+--------------------+----------+------------------------+
| NTIA-minimum-elements | comp_with_uniq_ids | 9.7/10.0 | 68/70 have unique ID's |
+-----------------------+--------------------+----------+------------------------+

There is a off by one bug, which i will fix.

Does this answer your question ?

1 reply

aidankeefe2022 Apr 10, 2024
Author

It absolutely does thank you so much!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

I am not sure what fields comp_with_uniq_id is scoring #221

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

I am not sure what fields comp_with_uniq_id is scoring #221

aidankeefe2022 Apr 9, 2024

Replies: 1 comment · 1 reply

riteshnoronha Apr 9, 2024 Maintainer

aidankeefe2022 Apr 10, 2024 Author

aidankeefe2022
Apr 9, 2024

Replies: 1 comment 1 reply

riteshnoronha
Apr 9, 2024
Maintainer

aidankeefe2022 Apr 10, 2024
Author