-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add primary component detection scorer #210
Add primary component detection scorer #210
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@riteshnoronha @surendrapathak Is it true that for SPDX the |
Hi Seth, You are right. SPDX specification itself does not explicitly make that distinction. However, our tools are primarily designed with a focus on distributable SBOMs specifically with NTIA minimum element recommendation for SBOM as the backdrop. NTIA minimum elements requires component-level granularity and package as the primary artifact. This approach facilitates the linkage of components to vulnerability databases using mechanisms such as purl/cpe and swid.To further support this perspective, we have considered Steve Winslow's(@swinslow) article available at https://spdx.github.io/spdx-ntia-sbom-howto/#_2_2_spdx_elements. Hence the addition of the new Check. Of course, |
Thanks for the response @riteshnoronha, did you have a quote that NTIA minimum elements requires the top-level component to be a package? They mention component may be a file in their definition of component:
I'm not an expert at this, only using this tool to evaluate an SBOM I'm creating for CPython. In the specific case I was using the CPython tarball being described as the top-level component instead of the "CPython" package. |
Although maybe I should be using |
Yes that's a possibility. Can you share sboms you are working on , would love to see it, i'm assuming for cpython, since you are mostly working with c/c++ code, packages names are not a thing, hence you would need to specify file-names? |
@riteshnoronha I've uploaded my draft here: https://gist.github.com/sethmlarson/103891c6cac4d41b11daab89e6c84868 |
@sethmlarson @riteshnoronha I agree with the comments above; the To the question about whether NTIA Minimum Elements requires it to be a Package: that's a great question, and I'm not certain offhand. I'm cc'ing @kestewart in case she has thoughts on this as well! Strangely, the link to the NTIA Minimum Elements PDF doesn't seem to be working for me any longer. Not sure if that's just an issue on my end or if NTIA changed the URL. The NTIA report, to my reading, doesn't require that the Additionally, some of the NTIA mandatory fields (e.g. "Version of the Component") I believe exist in SPDX only for Packages and not for Files. So although it might be possible to come up with an NTIA Minimum Elements SBOM in SPDX format that used just Files and not Packages, I suspect that's very much a rare edge case and would have its own challenges. |
In earnest, we mixed up two recommendations, and it is not explicitly limited to 'Package' but seems heavily implied in the documents.
So, Seth is correct that FILE is a possible path to compliant SPDX and a compliant Minimum Elements document, but it feels that it is not the preferred implementation. |
@sethmlarson thanks for sharing your SBOM. I looked over it and here are my my findings Sbom is great and well done, i loaded it into our tool and found it was parsable and was able to detect vulns. Feedback
|
@riteshnoronha Thank you for the feedback! I'll fix up the SBOM, and yes the top-level package should have a |
@sethmlarson those are from our sbom automation platform (closed beta right now), I can send you an invite if you want to try it yourself. |
@surendrapathak Added primary component detection to our scoring framework. I have added it as a quality metric. For SPDX we are checking if the relationships contains a describes for a package identifier. For Cyclonedx we are checking if the metadata describes a primary component.
CDX example
SPDX Example