In [1]:
#| hide
import kglab
import pandas as pd
from sbom_analysis.core import *
import pandas as pd

pd.set_option("display.precision", 2)
#pd.set_option('display.max_colwidth', None)

# [gh-sbom](https://github.com/advanced-security/gh-sbom)


On this page, we will analyze the SBOM generated by the [gh-sbom](https://github.com/advanced-security/gh-sbom) tool for the [PyTorch](https://github.com/pytorch/pytorch) GitHub Repository. The overall analysis for `gh-sbom` is available [here](../../tool_analysis/tools_overall_analysis.qmd#gh-sbom).


The SPDX SBOM was generated in the JSON format and converted to RDF/XML using [pyspdxtools](https://github.com/spdx/tools-python).
It is a valid spdx file and can be validated using the [spdx online validator](https://tools.spdx.org/app/validate/).

## SBOM size

In [2]:

kg = kglab.KnowledgeGraph()
kg.load_rdf("../../../data/tools_cs1/sboms/rdf/pytorch-gh-sbom-spdx23.rdf.xml", format="xml")


print("Files:", len(get_files_data(kg)))
print("Packages:", len(get_package_data(kg)))
print("relationships:", len(get_relationship_data(kg)))

Files: 0
Packages: 231
relationships: 1


## Is this SBOM NTIA minimum element conformant? False


| Individual elements                        | Status |
|-------------------------------------------|--------|
| All component names provided?              | True   |
| All component versions provided?           | False  |
| All component identifiers provided?        | True   |
| All component suppliers provided?          | False  |
| SBOM author name provided?                 | True   |
| SBOM creation timestamp provided?          | True   |
| Dependency relationships provided?         | False   |

Source: [ntia_checker](https://tools.spdx.org/app/ntia_checker/)

## Quality Score

In [3]:
dir_qs = "../../../data/tools_cs1/sbomqs/"
sbomqs_df, feature_qscores = sbomqs_scores(dir_qs)
display_qscores_with_descriptions(feature_qscores, tool_list=['GitHub.com-Dependency-Graph'])


Unnamed: 0,feature,score,description,tool
0,sbom_spec,10.0,provided sbom is in a supported sbom format of...,GitHub.com-Dependency-Graph
1,sbom_spec_version,10.0,provided sbom should be in supported spec vers...,GitHub.com-Dependency-Graph
2,sbom_spec_file_format,10.0,provided sbom should be in supported file form...,GitHub.com-Dependency-Graph
3,sbom_parsable,10.0,provided sbom is parsable,GitHub.com-Dependency-Graph


Unnamed: 0,feature,score,description,tool
4,comp_with_supplier,0.0,0/231 have supplier names,GitHub.com-Dependency-Graph
5,comp_with_name,10.0,231/231 have names,GitHub.com-Dependency-Graph
6,comp_with_version,8.92,206/231 have versions,GitHub.com-Dependency-Graph
7,comp_with_uniq_ids,10.0,231/231 have unique ID's,GitHub.com-Dependency-Graph
8,sbom_dependencies,0.0,doc has 0 relationships,GitHub.com-Dependency-Graph
9,sbom_authors,10.0,doc has 1 authors,GitHub.com-Dependency-Graph
10,sbom_creation_timestamp,10.0,doc has creation timestamp,GitHub.com-Dependency-Graph


Unnamed: 0,feature,score,description,tool
11,sbom_required_fields,10.0,Doc Fields:true Pkg Fields:true,GitHub.com-Dependency-Graph
12,comp_with_licenses,6.32,146/231 have licenses,GitHub.com-Dependency-Graph
13,comp_with_checksums,0.0,0/231 have checksums,GitHub.com-Dependency-Graph


Unnamed: 0,feature,score,description,tool
14,comp_valid_licenses,6.32,146/231 components with valid license,GitHub.com-Dependency-Graph
15,comp_with_primary_purpose,0.0,0/231 components have primary purpose specified,GitHub.com-Dependency-Graph
16,comp_with_deprecated_licenses,10.0,0/231 components have deprecated licenses,GitHub.com-Dependency-Graph
17,comp_with_restrictive_licenses,10.0,0/231 components have restricted licenses,GitHub.com-Dependency-Graph
18,comp_with_any_vuln_lookup_id,8.7,201/231 components have any lookup id,GitHub.com-Dependency-Graph
19,comp_with_multi_vuln_lookup_id,0.0,0/231 components have multiple lookup id,GitHub.com-Dependency-Graph
20,sbom_with_creator_and_version,0.0,0/1 tools have creator and version,GitHub.com-Dependency-Graph


Unnamed: 0,feature,score,description,tool
21,sbom_sharable,10.0,doc has a sharable license free 1 :: of 1,GitHub.com-Dependency-Graph


## Dependencies

In [4]:

# get the relationship graph to be visualized
graph = visualize_relationship_graph(kg)

# optional: set the physics layout of the network
graph.force_atlas_2based()
graph.set_edge_smooth('dynamic')

# show graph
graph.show("../../figs/cs1-gh-sbom.relationship_full.html")

../../figs/cs1-gh-sbom.relationship_full.html


**Note**: There is only one relationship between spdx:Document and the main package.  There are no relationships between the detected packages.