Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement Support for SBOM Quality Score Tool (sbomqs) #171

Closed
msymons opened this issue May 12, 2023 · 2 comments
Closed

Implement Support for SBOM Quality Score Tool (sbomqs) #171

msymons opened this issue May 12, 2023 · 2 comments
Labels
enhancement New feature or request wontfix This will not be worked on

Comments

@msymons
Copy link

msymons commented May 12, 2023
edited
Loading

Is your feature request related to a problem? Please describe.

A DT server with several hundred projects will often have a real variance in BOM quality. This might be caused by a number of things:

  • Different ecosystems means different tools generating the BOM... Gradle, Maven, etc.
  • Out-of-date version of tools generating the BOM. eg, two Maven projects both reporting BOM version is 1.4 in DT but one is generated using an older version of the cyclonedx-maven-plugin and thus may be lower quality
  • Up-to-date plugin generates BOM... but is incorrectly configured for (say) schemaVersion. Thus, one might get two projects with same out-of-date schemaVersion but one generated with latest plugin has higher quality

Describe the solution you'd like

Incorporate the sbomqs tool into the DT Jenkins plugin. This will allow for several pieces of functionality:

  • Calculation of BOM Quality Score
  • Option to fail a build (or mark it unstable) based on BOM quality (score)
  • Creation of quality score labels in Dependency-Track
  • Reporting of scoring output as a report in Jenkins so that one can see WHY a score is low (especially if it is causing the build to fail)

Additional context

Here is a screenshot showing labels in DT that have been created by sbomqs

sbomqs-tags

The tool will take care of removing old tags... important if (say) an upgrade of the tool that generates the BOM improves the score.
@msymons msymons added the enhancement New feature or request label May 12, 2023
@riteshnoronha
Copy link

Thanks @msymons. I'm the creator of the tool, if you do decide to integrate this, please do reach out to me if u run into issues or concerns.

@sephiroth-j
Copy link
Member

This function goes beyond what this plugin is intended for. It is not a generic SBOM plugin and does not call an external executable, for whatever reason.

You can do this yourself in your Jenkins pipeline.

  1. call sbomqs and capture the output: def out = sh(script: 'sbomqs score <sbom-file>', returnStdout: true).trim()
  2. extract the score from the captured output and store it in a variable: def score = Float.parseFloat(out.split(' ')[0])
  3. let the build fail if the score is to low: if (score < 9.0) { error 'sbom quality to low' }
  4. use the feature of setting tags to set the sbomqs-tag when uploading the sbom file: dependencyTrackPublisher artifact: '<sbom-file>', ..., projectProperties: [tags: ["sbomqs=${score}"]]

@sephiroth-j sephiroth-j added the wontfix This will not be worked on label Jan 28, 2024
@sephiroth-j sephiroth-j closed this as not planned Won't fix, can't repro, duplicate, stale Jan 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@riteshnoronha @msymons @sephiroth-j