-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NTIA "Other unique identifiers" check needs review #86
Comments
@surendrapathak, thank you again. Just to be absolutely clear: Are you saying that That makes sense to me. |
That's correct. NTIA intended to find unique identifiers over the ecosystem and therefore checking for CPE, PURL, and SWID are natural candidates. At Interlynk's implementation, we have focused on CPE/PURL (the most common ones). SWID is to come soon. Strictly, NTIA did leave room for other vertical-wide IDs (say UDI). However, we decided to start on the software side and based on the need, move to other systems. |
Ping @kestewart on this topic - I was under the impression an SPDX ID would satisfy the requirement. From the above conversation, it looks like the SPDX ID is not sufficient to meet the NTIA minimum requirements. Since you were part of the discussions with NTIA - I just wanted to check if you agree with this. |
@jspeed-meyers @surendrapathak - the unique id over the ecosystem is satisfied by the combination of namespace of the SPDX document "+" SPDXID. The combination provides a globally unique identifier, and I discussed this at length during the drafting with others. It is fine to put in other aliases via external references like purl, CPE, etc.. but in the end, none of them are any more unique. As long as there is a globally unique namespace for the SPDX document, and SPDXIDs are used for the components, that satisfies a unique identifier. |
Thanks for sharing the background @kestewart Ok to close this as expected behavior. |
Thank you, @kestewart. And thank you for raising @surendrapathak--you taught me something I didn't know! |
NTIA component identifiers check passes for the attached file (please remove .txt from it before running).
The script expects the presence of unique SPDXID which is truly unique for all packages.
However, NTIA intent with Other unique identifier appears to be checking for PURL/CPE/SWID (or equivalent). From the NTIA doc -
Other unique identifiers support automated efforts to map data across data uses and ecosystems and can reinforce certainty in instances of uncertainty. Examples of commonly used unique identifiers are Common Platform Enumeration (CPE),9 Software Identification (SWID) tags,10 and Package Uniform Resource Locators (PURL). 11 These other identifiers may not be available for every piece of software, but should be used if they exist.
With the CPE/PURL/SWID interpretation, only 8 out of 15 components have unique identifier. e.g:
but completely missing from the following package
On this issue, sbomqs implementation differs from ntia-comformance-checker so I would like to get SPDX's interpretation for a consistent implementation.
PS: Thanks to @kestewart for pointing me to this tool
bom-alpine-3.15.spdx.txt
The text was updated successfully, but these errors were encountered: