Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure that Tern produces SPDX docs conformant to NTIA minimum elements #1205

Closed
rnjudge opened this issue Jan 4, 2023 · 5 comments · Fixed by #1213
Closed

Ensure that Tern produces SPDX docs conformant to NTIA minimum elements #1205

rnjudge opened this issue Jan 4, 2023 · 5 comments · Fixed by #1213
Labels
spdx Issues related to the SPDX formatting of Tern reports

Comments

@rnjudge
Copy link
Contributor

rnjudge commented Jan 4, 2023

Make sure that Tern's SPDX SBOMs have all of the minimum elements for an SBOM:
- Supplier Name
- Component Name
- Version of the Component
- Other Unique Identifiers
- Dependency Relationship
- Author of SBOM Data
- Timestamp

More field mapping information here: https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k22-mapping-ntia-minimum-elements-to-spdx-fields

Tooling to check conformance: https://github.com/spdx/ntia-conformance-checker (perhaps this should also be included in the testing for PRs?)
@rnjudge rnjudge added the spdx Issues related to the SPDX formatting of Tern reports label Jan 4, 2023
@jspeed-meyers
Copy link

I'm glad to help with the testing component. And if ntia-conformance-checker needs to adapt to fit tern's testing needs, please feel free to drop in issues, feature requests, or make PRs!

@rnjudge
Copy link
Contributor Author

rnjudge commented Jan 24, 2023
edited
Loading

When I tested a SPDX document produced by Tern for the photon:3.0 container image, I got the following results (same results for tag value format):

(ternenv) rose@rose-vm:~/ternenv/ntia-conformance-checker/ntia_conformance_checker$ python3 main.py -v --file ../../tern/photon.json

Is this SBOM NTIA minimum element conformant? False

Individual elements                            | Status
-------------------------------------------------------
All component names provided?                  | True
All component versions provided?               | False
All component identifiers provided?            | True
All component suppliers provided?              | False
SBOM author name provided?                     | False
SBOM creation timestamp provided?              | True
Dependency relationships provided?             | True

Components missing a version: 5e94941e3961b26645fbfdc71a59d439537b98417546bfdab35fa074f121eb15

Components missing an supplier: photon,5e94941e3961b26645fbfdc71a59d439537b98417546bfdab35fa074f121eb15,bash,bzip2-libs,ca-certificates,ca-certificates-pki,curl,curl-libs,e2fsprogs-libs,elfutils-libelf,expat,expat-libs,filesystem,glibc,krb5,libcap,libdb,libgcc,libmetalink,libsolv,libssh2,lua,ncurses-libs,nspr,nss-libs,openssl,photon-release,photon-repos,popt,readline,rpm-libs,sqlite-libs,tdnf,tdnf-cli-libs,toybox,xz-libs,zlib,zstd-libs

@jspeed-meyers
Copy link

jspeed-meyers commented Jan 24, 2023
edited
Loading

@rnjudge, does that look right to you? You can get more detailed output by adding a -v flag. You can also get JSON output using --output json flag.

@rnjudge
Copy link
Contributor Author

rnjudge commented Jan 24, 2023

@jspeed-meyers not all of it looks correct. Opening an issue/question in the repo now :)

@rnjudge
Copy link
Contributor Author

rnjudge commented Jan 24, 2023
edited
Loading

To summarize, the missing NTIA minimum info in Tern reports is as follows:

  1. The layer Package does not have a version associated with it.
PackageName: 5e94941e3961b26645fbfdc71a59d439537b98417546bfdab35fa074f121eb15
SPDXID: SPDXRef-9b5d4fa77c
PackageFileName: 5e94941e3961b26645fbfdc71a59d439537b98417546bfdab35fa074f121eb15
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageChecksum: SHA256: 9b5d4fa77c08cc6b026c7a37524154531daa103658948bfd49932c4e77abeda6
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
PackageComment: <text>
Layer 1:

  1. Packages do not have Package Supplier (7.5) information

  2. I believe the SBOM author provided status is incorrect. See What should "SBOM Author" name be if SBOM created by a tool? spdx/ntia-conformance-checker#52

rnjudge added a commit to rnjudge/tern that referenced this issue Jan 26, 2023
@rnjudge
Add version info to layer Packages in SPDX reports
ff2b99a 
The NTIA minimum requirements for an SBOM require that all Packages have
version information. Since Tern represents container layers as SPDX
Packages, these package elements must have version information in order
to satisfy NTIA minimums. This commit adds version information to layer
"Packages" using the layer indexes (i.e. the base OS layer has version
"1")

Works towards tern-tools#1205

Signed-off-by: Rose Judge <rjudge@vmware.com>
@rnjudge rnjudge mentioned this issue Jan 26, 2023
Merged
rnjudge added a commit that referenced this issue Feb 7, 2023
@rnjudge
Add version info to layer Packages in SPDX reports
2e51f67 
The NTIA minimum requirements for an SBOM require that all Packages have
version information. Since Tern represents container layers as SPDX
Packages, these package elements must have version information in order
to satisfy NTIA minimums. This commit adds version information to layer
"Packages" using the layer indexes (i.e. the base OS layer has version
"1")

Works towards #1205

Signed-off-by: Rose Judge <rjudge@vmware.com>
rnjudge added a commit to rnjudge/tern that referenced this issue Feb 8, 2023
@rnjudge
Add package supplier info to package objects
bb2a724 
This commit adds package supplier information as an attribute in the
package class for package objects. For some package managers (like
PyPI), there is only one feasible supplier (PyPI) and this value is
set as a constant string (PyPI). For others, like rpm, the
string is determined using the /etc/os-release file based on the Linux
Distro providing the packages. While this is not a perfect way to
determine the distro/distributor, it is satisfactory to satisfty the
NTIA minimum elements for the upcoming EO 14028.

We decided to use the distro as the supplier based on conversations had
on the SPDX mailing list[1].

[1] https://lists.spdx.org/g/Spdx-tech/message/4942

Works towards tern-tools#1205

Signed-off-by: Rose Judge <rjudge@vmware.com>
rnjudge added a commit to rnjudge/tern that referenced this issue Feb 8, 2023
@rnjudge
Add package supplier info to SPDX reports
ede4645 
This commit adds `pkg_supplier` attribute values as `PackageSupplier`
field values in Tag Value and JSON SPDX documents .

Resolves tern-tools#1205

Signed-off-by: Rose Judge <rjudge@vmware.com>
@rnjudge rnjudge mentioned this issue Feb 8, 2023
Merged
rnjudge added a commit that referenced this issue Feb 28, 2023
@rnjudge
Add package supplier info to Tern reports
b45e584 
This commit adds package supplier information as an attribute in the
package class for package objects. This commit also adds
`pkg_supplier` attribute values as `PackageSupplier` field values in
Tag Value and JSON SPDX documents .

For some package managers (like PyPI), there is only one feasible
supplier (PyPI) and this value is set as a constant string (PyPI). For
others, like rpm, the string is determined using the `/etc/os-release`
file based on the Linux Distro providing the packages. While this is
not a perfect way to determine the distro/distributor, it is satisfactory
to satisfy the NTIA minimum elements for the upcoming EO 14028.
We decided to use the distro as the supplier based on conversations
had on the SPDX mailing list[1].

[1] https://lists.spdx.org/g/Spdx-tech/message/4942

Resolves #1205

Signed-off-by: Rose Judge <rjudge@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
spdx Issues related to the SPDX formatting of Tern reports
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add package supplier info to Tern reports rnjudge/tern
2 participants
@rnjudge @jspeed-meyers