fix: align NTIA compliance checkers with NTIA 2021 standard#97
Merged
vpetersson merged 2 commits intomasterfrom Jan 9, 2026
Merged
fix: align NTIA compliance checkers with NTIA 2021 standard#97vpetersson merged 2 commits intomasterfrom
vpetersson merged 2 commits intomasterfrom
Conversation
The test NTIA compliance checkers had several discrepancies with the official NTIA Minimum Elements standard (July 2021). This aligns them with the correct interpretation: - Author of SBOM Data: Check metadata.authors, not metadata.tools. NTIA defines "Author" as the entity that creates the SBOM, not the generating software tool. - Unique Identifiers: Accept PURL, CPE (cpe22Type/cpe23Type), or SWID. Previously only checked PURL for SPDX and missed SWID for CycloneDX. - Dependency Relationships: Require DEPENDS_ON or CONTAINS relationship types. DESCRIBES alone does not satisfy the NTIA dependency requirement. - Supplier Validation: Properly validate CycloneDX supplier field which can be publisher (string), supplier.name (dict), or supplier (string). Also updated test fixtures to match stricter validation rules.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR aligns NTIA compliance checkers with the official NTIA Minimum Elements standard (July 2021) by correcting the interpretation of several key requirements. The changes ensure that "Author of SBOM Data" checks for the entity creating the SBOM (authors) rather than the generating tool, expands unique identifier validation to include CPE and SWID formats beyond just PURL, and enforces that dependency relationships must be DEPENDS_ON or CONTAINS types rather than accepting DESCRIBES alone.
Changes:
- Corrected "Author of SBOM Data" to check
metadata.authorsinstead ofmetadata.tools - Expanded unique identifier validation to accept PURL, CPE (cpe22Type/cpe23Type), or SWID for both SPDX and CycloneDX formats
- Strengthened dependency relationship validation to require DEPENDS_ON or CONTAINS relationship types
- Enhanced CycloneDX supplier validation to handle string, dict, and publisher field formats
- Updated test fixtures to include authors field and proper dependency relationships
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| tests/test_ntia_compliance.py | Updated compliance checker logic for CycloneDX and SPDX formats, including author validation, supplier validation improvements, unique identifier expansion, and dependency relationship enforcement; updated test fixtures with authors and proper relationships |
| tests/test_container_sbom_ntia_compliance.py | Applied same compliance checker updates for container SBOM validation, including author field checking, expanded unique identifier types, and strengthened dependency relationship validation |
Comments suppressed due to low confidence (1)
tests/test_ntia_compliance.py:1
- The stats key 'components_with_purl' is misleading now that the check also accepts CPE and SWID identifiers. Consider renaming to 'components_with_identifiers' or 'components_with_unique_id' to accurately reflect what is being counted.
"""
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Address PR review feedback:
- SWID validation: Check structure (tagId + name required) per CycloneDX
schema, not just field presence. An empty object {} is not a valid SWID.
- Rename misleading stats keys: *_with_purl -> *_with_identifiers since
we now accept PURL, CPE, and SWID as valid unique identifiers.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The test NTIA compliance checkers had several discrepancies with the official NTIA Minimum Elements standard (July 2021). This aligns them with the correct interpretation:
Author of SBOM Data: Check metadata.authors, not metadata.tools. NTIA defines "Author" as the entity that creates the SBOM, not the generating software tool.
Unique Identifiers: Accept PURL, CPE (cpe22Type/cpe23Type), or SWID. Previously only checked PURL for SPDX and missed SWID for CycloneDX.
Dependency Relationships: Require DEPENDS_ON or CONTAINS relationship types. DESCRIBES alone does not satisfy the NTIA dependency requirement.
Supplier Validation: Properly validate CycloneDX supplier field which can be publisher (string), supplier.name (dict), or supplier (string).
Also updated test fixtures to match stricter validation rules.