Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unique SPDXID comply with NTIA Minimume Elements requirements #48

Closed
surendrapathak opened this issue Feb 19, 2023 · 1 comment · Fixed by #55
Closed

Unique SPDXID comply with NTIA Minimume Elements requirements #48

surendrapathak opened this issue Feb 19, 2023 · 1 comment · Fixed by #55

Comments

@surendrapathak
Copy link
Collaborator

sbomqs uses the presence of CPE/PURL to check for 'Other unique identifiers' requirements. However, after discussing it with Kate Stewart here, it is clear that SPDXID alone can satisfy that criterion for the SDPX.

Let us change sbomqs towards the original intent.
@surendrapathak surendrapathak mentioned this issue Feb 19, 2023
Closed
@riteshnoronha
Copy link
Contributor

riteshnoronha commented Feb 20, 2023
edited

Other Unique Identifiers details from NTIA minimum elements

Definition

Other identifiers that are used to identify a component, or
serve as a look-up key for relevant database

More details

Other unique identifiers support automated efforts to map data across data uses and ecosystems
and can reinforce certainty in instances of uncertainty. Examples of commonly used unique
identifiers are Common Platform Enumeration (CPE), Software Identification (SWID) tags, and Package Uniform Resource
Locators (PURL). These other identifiers may not be available for every piece of software, but should be used if they exist.

The above points indicate that presence of any of these identifiers would be enough. I then decided to re-read https://www.ntia.gov/files/ntia/publications/sbom_formats_survey-version-2021.pdf

That indicates for the other unique identifiers we should only be checking SPDXID + namespace for SPDX and serial number for CycloneDX

image

Wondering if this should be a waterfall check of ids, or just the presence check of serialnumber & spdx+namespace

Lets discuss this more, before changing it.

@riteshnoronha riteshnoronha mentioned this issue Feb 21, 2023
Merged
@riteshnoronha riteshnoronha linked a pull request Feb 21, 2023 that will close this issue
Make other uniq id's check compliant with NTIA #55
Merged
surendrapathak added a commit that referenced this issue Feb 23, 2023
@surendrapathak
Updated unique component identifier to match NTIA
34a8de4 
Getting documentation in accordance with changes at issue #48
@surendrapathak surendrapathak mentioned this issue Feb 23, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make other uniq id's check compliant with NTIA interlynk-io/sbomqs
2 participants
@riteshnoronha @surendrapathak