Support for NTIA minimum elements for an SBOM #632
Comments
|
I was thinking about making a contribution here. If I added support for this how likely is it to be accepted ? |
|
@robinbryce We'd love a contribution! A contribution is very likely to be accepted, once it gets through a code review and the CI checks pass. Check out our CONTRIBUTING.md for our expectations for code contributions. And let us know if you have any questions about anything, we'd be happy to guide you along the process. |
|
excellent thanks! |
|
Yes, I started to investigate which properties are missing for cyclonedx:
I realized the supplier property is rarely fulfilled by Spdx nor CycloneDx. I also opened a PR to add dependencies to syft sbom when generated. |
|
Some of this for cyclonedx may be solved by #710 |
|
Thanks @samj1912 |
|
Closed by mistake when merging a PR that had this issue attached. There are other follow up PR that will help us hit this goal. |
|
A note for when this is picked up, take a look at NTIA compliance checker and sbom-scorecards for possible automated CI validations once this work is completed. |
|
We work a lot with sboms and created a tool to help check the quality of sboms we recv, we have opensourced it here sbomqs. NTIA minimum elements is our baseline acceptance current, so we added a mode to this tool, to quickly check if sboms are NTIA compliant |
|
Something under the category of "known unknowns" which the NTIA minimum requirements encourages, today we don't catalog the contents of archives. It would be ideal to try to capture the list of archives as known unknowns. In the known unknowns section it would be great to be able to capture the full partial type in that section (say a full package with a missing version) so that we can report out more than just "this file was partially parsed to a package: " |
|
We should be checking that all package names are valid relative to the NTIA requirements regardless of the cataloger conclusions (we should do this late in processing and warn/drop accordingly). Relevant issue #2038 |
|
From a conversation from gardening: we could have an NTIA compliant mode that will full in unknown names and versions with a known "VALUE_MUST_BE_PROVIDED_MANUALLY" field (or similar) and outputs a warning / footer in the output to stderr that lets the user know that user input is required to complete the SBOM. This way there is still a package in the SBOM (instead of it being dropped for NTIA requirements) but lets the user fill out the fields that are left. |
|
Summarizing an offline conversation (and some of the above threads): This work probably translates into doing at least the following tasks:
Getting a proposal for the configuration I think will drive a lot of this. |
What would you like to be added:
Ensure that all SBOMs produced by Syft cover the NTIA's Minimum Elements For a Software Bill of Materials (SBOM).
Direct link to PDF: https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf
Why is this needed:
This set of minimum elements is an official recommendation to organizations producing SBOMs for the software they produce and consume. We should be sure that, when the need for this support is present, Syft is a great choice for users to produce complaint SBOMs.
Additional context:
It may be that Syft already does provide support for this. The goal of this ticket is to ensure that Syft does support these minimum elements, and once confirmed, advertise this information about Syft publicly, including on Syft's README.
Related Work
The text was updated successfully, but these errors were encountered: