Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for NTIA minimum elements for an SBOM #632

Open
luhring opened this issue Nov 16, 2021 · 13 comments · Fixed by #710
Open

Support for NTIA minimum elements for an SBOM #632

luhring opened this issue Nov 16, 2021 · 13 comments · Fixed by #710
Assignees
Labels
enhancement New feature or request

Comments

@luhring
Copy link
Contributor

luhring commented Nov 16, 2021

What would you like to be added:

Ensure that all SBOMs produced by Syft cover the NTIA's Minimum Elements For a Software Bill of Materials (SBOM).

Direct link to PDF: https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf

Why is this needed:

This set of minimum elements is an official recommendation to organizations producing SBOMs for the software they produce and consume. We should be sure that, when the need for this support is present, Syft is a great choice for users to produce complaint SBOMs.

Additional context:

It may be that Syft already does provide support for this. The goal of this ticket is to ensure that Syft does support these minimum elements, and once confirmed, advertise this information about Syft publicly, including on Syft's README.

Related Work

@luhring luhring added the enhancement New feature or request label Nov 16, 2021
@robinbryce
Copy link

I was thinking about making a contribution here. If I added support for this how likely is it to be accepted ?

@luhring
Copy link
Contributor Author

luhring commented Dec 7, 2021

@robinbryce We'd love a contribution! A contribution is very likely to be accepted, once it gets through a code review and the CI checks pass. Check out our CONTRIBUTING.md for our expectations for code contributions. And let us know if you have any questions about anything, we'd be happy to guide you along the process.

@robinbryce
Copy link

excellent thanks!

@hectorj2f
Copy link
Contributor

Yes, I started to investigate which properties are missing for cyclonedx:

  • Supplier of the software component
  • Version of the component
  • Component unique identifiers
  • Any component dependency relationships, and a timestamp of when and by whom the SBOM report was created.

I realized the supplier property is rarely fulfilled by Spdx nor CycloneDx. I also opened a PR to add dependencies to syft sbom when generated.

@sambhav
Copy link
Contributor

sambhav commented Dec 23, 2021

Some of this for cyclonedx may be solved by #710

@hectorj2f
Copy link
Contributor

Thanks @samj1912

@spiffcs spiffcs reopened this Jan 19, 2022
@spiffcs
Copy link
Contributor

spiffcs commented Jan 19, 2022

Closed by mistake when merging a PR that had this issue attached. There are other follow up PR that will help us hit this goal.

@wagoodman
Copy link
Contributor

A note for when this is picked up, take a look at NTIA compliance checker and sbom-scorecards for possible automated CI validations once this work is completed.

@riteshnoronha
Copy link

riteshnoronha commented Feb 25, 2023

We work a lot with sboms and created a tool to help check the quality of sboms we recv, we have opensourced it here sbomqs. NTIA minimum elements is our baseline acceptance current, so we added a mode to this tool, to quickly check if sboms are NTIA compliant sbomqs score --dirpath syft-bench --category NTIA-minimum-elements. Using syft version 0.73.1, we ran a small benchmark using alpine:latest in spdx & cdx, the results are here. Hope this helps

SBOM Quality Score:7.1  components:17   syft-bench/syft-alpine.cdx.json
+-----------------------+--------------------------------+-----------+--------------------------------+
|       CATEGORY        |            FEATURE             |   SCORE   |              DESC              |
+-----------------------+--------------------------------+-----------+--------------------------------+
| NTIA-minimum-elements | Components have names          | 10.0/10.0 | 17/17 have names               |
+                       +--------------------------------+-----------+--------------------------------+
|                       | Components have uniq ids       | 10.0/10.0 | 17/17 have unique ID's         |
+                       +--------------------------------+-----------+--------------------------------+
|                       | Components have supplier names | 0.0/10.0  | 0/17 have supplier names       |
+                       +--------------------------------+-----------+--------------------------------+
|                       | Doc has authors                | 10.0/10.0 | doc has 1 authors              |
+                       +--------------------------------+-----------+--------------------------------+
|                       | Components have versions       | 10.0/10.0 | 17/17 have versions            |
+                       +--------------------------------+-----------+--------------------------------+
|                       | Doc has relationships          | 0.0/10.0  | doc has 0 relationships        |
+                       +--------------------------------+-----------+--------------------------------+
|                       | Doc has creation timestamp     | 10.0/10.0 | doc has creation timestamp     |
|                       |                                |           | 2023-02-24T14:34:00-08:00      |
+-----------------------+--------------------------------+-----------+--------------------------------+
SBOM Quality Score:7.1  components:17   syft-bench/syft-alpine.cdx.xml
+-----------------------+--------------------------------+-----------+--------------------------------+
|       CATEGORY        |            FEATURE             |   SCORE   |              DESC              |
+-----------------------+--------------------------------+-----------+--------------------------------+
| NTIA-minimum-elements | Doc has authors                | 10.0/10.0 | doc has 1 authors              |
+                       +--------------------------------+-----------+--------------------------------+
|                       | Components have versions       | 10.0/10.0 | 17/17 have versions            |
+                       +--------------------------------+-----------+--------------------------------+
|                       | Doc has relationships          | 0.0/10.0  | doc has 0 relationships        |
+                       +--------------------------------+-----------+--------------------------------+
|                       | Doc has creation timestamp     | 10.0/10.0 | doc has creation timestamp     |
|                       |                                |           | 2023-02-24T14:34:00-08:00      |
+                       +--------------------------------+-----------+--------------------------------+
|                       | Components have uniq ids       | 10.0/10.0 | 17/17 have unique ID's         |
+                       +--------------------------------+-----------+--------------------------------+
|                       | Components have supplier names | 0.0/10.0  | 0/17 have supplier names       |
+                       +--------------------------------+-----------+--------------------------------+
|                       | Components have names          | 10.0/10.0 | 17/17 have names               |
+-----------------------+--------------------------------+-----------+--------------------------------+
SBOM Quality Score:8.6  components:16   syft-bench/syft-alpine.spdx.json
+-----------------------+--------------------------------+-----------+--------------------------------+
|       CATEGORY        |            FEATURE             |   SCORE   |              DESC              |
+-----------------------+--------------------------------+-----------+--------------------------------+
| NTIA-minimum-elements | Doc has authors                | 10.0/10.0 | doc has 2 authors              |
+                       +--------------------------------+-----------+--------------------------------+
|                       | Components have versions       | 10.0/10.0 | 16/16 have versions            |
+                       +--------------------------------+-----------+--------------------------------+
|                       | Doc has relationships          | 10.0/10.0 | doc has 100 relationships      |
+                       +--------------------------------+-----------+--------------------------------+
|                       | Doc has creation timestamp     | 10.0/10.0 | doc has creation timestamp     |
|                       |                                |           | 2023-02-24T22:34:01Z           |
+                       +--------------------------------+-----------+--------------------------------+
|                       | Components have supplier names | 0.0/10.0  | 0/16 have supplier names       |
+                       +--------------------------------+-----------+--------------------------------+
|                       | Components have names          | 10.0/10.0 | 16/16 have names               |
+                       +--------------------------------+-----------+--------------------------------+
|                       | Components have uniq ids       | 10.0/10.0 | 16/16 have unique ID's         |
+-----------------------+--------------------------------+-----------+--------------------------------+
SBOM Quality Score:8.6  components:16   syft-bench/syft-alpine.spdx.tv
+-----------------------+--------------------------------+-----------+--------------------------------+
|       CATEGORY        |            FEATURE             |   SCORE   |              DESC              |
+-----------------------+--------------------------------+-----------+--------------------------------+
| NTIA-minimum-elements | Doc has authors                | 10.0/10.0 | doc has 2 authors              |
+                       +--------------------------------+-----------+--------------------------------+
|                       | Components have versions       | 10.0/10.0 | 16/16 have versions            |
+                       +--------------------------------+-----------+--------------------------------+
|                       | Doc has relationships          | 10.0/10.0 | doc has 100 relationships      |
+                       +--------------------------------+-----------+--------------------------------+
|                       | Doc has creation timestamp     | 10.0/10.0 | doc has creation timestamp     |
|                       |                                |           | 2023-02-24T22:34:01Z           |
+                       +--------------------------------+-----------+--------------------------------+
|                       | Components have supplier names | 0.0/10.0  | 0/16 have supplier names       |
+                       +--------------------------------+-----------+--------------------------------+
|                       | Components have names          | 10.0/10.0 | 16/16 have names               |
+                       +--------------------------------+-----------+--------------------------------+
|                       | Components have uniq ids       | 10.0/10.0 | 16/16 have unique ID's         |
+-----------------------+--------------------------------+-----------+--------------------------------+

@wagoodman
Copy link
Contributor

wagoodman commented Mar 9, 2023

Something under the category of "known unknowns" which the NTIA minimum requirements encourages, today we don't catalog the contents of archives. It would be ideal to try to capture the list of archives as known unknowns.

In the known unknowns section it would be great to be able to capture the full partial type in that section (say a full package with a missing version) so that we can report out more than just "this file was partially parsed to a package: "

@wagoodman
Copy link
Contributor

We should be checking that all package names are valid relative to the NTIA requirements regardless of the cataloger conclusions (we should do this late in processing and warn/drop accordingly). Relevant issue #2038

@wagoodman
Copy link
Contributor

From a conversation from gardening: we could have an NTIA compliant mode that will full in unknown names and versions with a known "VALUE_MUST_BE_PROVIDED_MANUALLY" field (or similar) and outputs a warning / footer in the output to stderr that lets the user know that user input is required to complete the SBOM. This way there is still a package in the SBOM (instead of it being dropped for NTIA requirements) but lets the user fill out the fields that are left.

@wagoodman wagoodman added this to OSS Feb 7, 2024
@wagoodman wagoodman moved this to Ready in OSS Feb 7, 2024
@wagoodman
Copy link
Contributor

wagoodman commented Jul 3, 2024

Summarizing an offline conversation (and some of the above threads): This work probably translates into doing at least the following tasks:

  • Run validator tools in the PR pipeline to detect when we are not compliant relative to the NTIA spec. Using the existing "package-coverage" integration image is probably the way to go here. We should also run this against each supported format (SPDX and CycloneDX).
  • Add a configuration option to enable/disable NTIA compliant SBOMs. This should allow for various behaviors (should we drop non compliant packages, fill empty fields with dummy values, etc)

Getting a proposal for the configuration I think will drive a lot of this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
Status: In Progress
Development

Successfully merging a pull request may close this issue.

8 participants