NTIA "Other unique identifiers" check needs review

[surendrapathak]

NTIA component identifiers check passes for the attached file (please remove .txt from it before running).

Is this SBOM NTIA minimum element conformant? False

Individual elements                            | Status
-------------------------------------------------------
All component names provided?                  | True
All component versions provided?               | False
All component identifiers provided?            | True
All component suppliers provided?              | False
SBOM author name provided?                     | True
SBOM creation timestamp provided?              | True
Dependency relationships provided?             | True

The script expects the presence of unique SPDXID which is truly unique for all packages.

However, NTIA intent with Other unique identifier appears to be checking for PURL/CPE/SWID (or equivalent). From the NTIA doc - Other unique identifiers support automated efforts to map data across data uses and ecosystems and can reinforce certainty in instances of uncertainty. Examples of commonly used unique identifiers are Common Platform Enumeration (CPE),9 Software Identification (SWID) tags,10 and Package Uniform Resource Locators (PURL). 11 These other identifiers may not be available for every piece of software, but should be used if they exist.

With the CPE/PURL/SWID interpretation, only 8 out of 15 components have unique identifier. e.g:

ExternalRef: PACKAGE-MANAGER purl pkg:oci/busybox@sha256:f4ed5f2163110c26d42741fdc92bd1710e118aed4edb19212548e8ca4e5fca22?mediaType=application%2Fvnd.docker.distribution.manifest.list.v2+json&repository_url=index.docker.io%2Flibrary

but completely missing from the following package

PackageName: sha256:3d8a17fefa47b7be9e46147c5e670fb74d3de4a45889e307c5b7e85da5bee3d0

On this issue, sbomqs implementation differs from ntia-comformance-checker so I would like to get SPDX's interpretation for a consistent implementation.

PS: Thanks to @kestewart for pointing me to this tool
bom-alpine-3.15.spdx.txt

[jspeed-meyers]

@surendrapathak, thank you again.

Just to be absolutely clear: Are you saying that ntia-conformance-checker should check for purl, CPE, or SWID, NOT SPDX package ID, for the All component identifiers provided? check?

That makes sense to me.

[surendrapathak]

That's correct. NTIA intended to find unique identifiers over the ecosystem and therefore checking for CPE, PURL, and SWID are natural candidates.

At Interlynk's implementation, we have focused on CPE/PURL (the most common ones). SWID is to come soon.
https://github.com/interlynk-io/sbomqs/blob/main/pkg/scorer/ntia.go#L74-L85

Strictly, NTIA did leave room for other vertical-wide IDs (say UDI). However, we decided to start on the software side and based on the need, move to other systems.

[goneall]

Ping @kestewart on this topic - I was under the impression an SPDX ID would satisfy the requirement. From the above conversation, it looks like the SPDX ID is not sufficient to meet the NTIA minimum requirements. Since you were part of the discussions with NTIA - I just wanted to check if you agree with this.

[kestewart]

@jspeed-meyers @surendrapathak - the unique id over the ecosystem is satisfied by the combination of namespace of the SPDX document "+" SPDXID. The combination provides a globally unique identifier, and I discussed this at length during the drafting with others.

It is fine to put in other aliases via external references like purl, CPE, etc.. but in the end, none of them are any more unique.

As long as there is a globally unique namespace for the SPDX document, and SPDXIDs are used for the components, that satisfies a unique identifier.

[surendrapathak]

Thanks for sharing the background @kestewart
Then we'll go and make change at our end to keep it consistent with the original intent.

Ok to close this as expected behavior.

[jspeed-meyers]

Thank you, @kestewart. And thank you for raising @surendrapathak--you taught me something I didn't know!