Home » Categories

SBOM

sbomqs:v1.x.x Vs sbomqs:v2.x.x: What Changed?

Overview Hello Everyone 👋, We have released sbomqs:2.0 last week. This post is about major changes b/w sbomqs:1.x.x and sbomqs:2.0.x. Let’s understand, what exactly changed in sbomqs 2.0, and how it is different from the older 1.x scoring model? If you’ve been using sbomqs for a while, you know that 1.x scoring bundled everything together in a summarized way: $ sbomqs score samples/photon.spdx.json --legacy SBOM Quality by Interlynk Score:6.0 components:38 samples/photon.spdx.json +-----------------------+--------------------------------+-----------+--------------------------------+ | CATEGORY | FEATURE | SCORE | DESC | +-----------------------+--------------------------------+-----------+--------------------------------+ | NTIA-minimum-elements | comp_with_name | 10.0/10.0 | 38/38 have names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_version | 9.7/10.0 | 37/38 have versions | + +--------------------------------+-----------+--------------------------------+ | | comp_with_uniq_ids | 10.0/10.0 | 38/38 have unique ID's | + +--------------------------------+-----------+--------------------------------+ | | comp_with_supplier | 0.0/10.0 | 0/38 have supplier names | + +--------------------------------+-----------+--------------------------------+ | | sbom_creation_timestamp | 10.0/10.0 | doc has creation timestamp | | | | | 2023-01-12T22:06:03Z | + +--------------------------------+-----------+--------------------------------+ | | sbom_authors | 10.0/10.0 | doc has 1 authors | + +--------------------------------+-----------+--------------------------------+ | | sbom_dependencies | 10.0/10.0 | primary comp has 1 | | | | | dependencies | +-----------------------+--------------------------------+-----------+--------------------------------+ | bsi-v1.1 | comp_with_name | 10.0/10.0 | 38/38 have names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_version | 9.7/10.0 | 37/38 have versions | + +--------------------------------+-----------+--------------------------------+ | | comp_with_uniq_ids | 0.0/10.0 | 0/38 have unique ID's | + +--------------------------------+-----------+--------------------------------+ | | comp_with_supplier | 0.0/10.0 | 0/38 have supplier names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_licenses | 9.5/10.0 | 36/38 have compliant licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_checksums_sha256 | 0.3/10.0 | 1/38 have checksums | + +--------------------------------+-----------+--------------------------------+ | | comp_with_source_code_uri | - | no-deterministic-field in spdx | + +--------------------------------+-----------+--------------------------------+ | | comp_with_source_code_hash | 0.0/10.0 | 0/38 have source code hash | + +--------------------------------+-----------+--------------------------------+ | | comp_with_executable_uri | 10.0/10.0 | 38/38 have executable URI | + +--------------------------------+-----------+--------------------------------+ | | comp_with_dependencies | 0.5/10.0 | 2/38 have dependencies | + +--------------------------------+-----------+--------------------------------+ | | spec_with_version_compliant | 10.0/10.0 | provided sbom spec: spdx, and | | | | | version: SPDX-2.3 is supported | + +--------------------------------+-----------+--------------------------------+ | | sbom_creation_timestamp | 10.0/10.0 | doc has creation timestamp | | | | | 2023-01-12T22:06:03Z | + +--------------------------------+-----------+--------------------------------+ | | sbom_authors | 10.0/10.0 | doc has 1 authors | + +--------------------------------+-----------+--------------------------------+ | | sbom_dependencies | 10.0/10.0 | primary comp has 1 | | | | | dependencies | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_uri | 10.0/10.0 | doc has URI | +-----------------------+--------------------------------+-----------+--------------------------------+ | bsi-v2.0 | comp_with_name | 10.0/10.0 | 38/38 have names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_version | 9.7/10.0 | 37/38 have versions | + +--------------------------------+-----------+--------------------------------+ | | comp_with_uniq_ids | 0.0/10.0 | 0/38 have unique ID's | + +--------------------------------+-----------+--------------------------------+ | | comp_with_supplier | 0.0/10.0 | 0/38 have supplier names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_associated_license | 0.0/10.0 | 0/38 have compliant licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_concluded_license | 0.0/10.0 | 0/38 have compliant licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_declared_license | 9.5/10.0 | 36/38 have compliant licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_source_code_uri | - | no-deterministic-field in spdx | + +--------------------------------+-----------+--------------------------------+ | | comp_with_source_code_hash | 0.0/10.0 | 0/38 have source code hash | + +--------------------------------+-----------+--------------------------------+ | | comp_with_executable_uri | 10.0/10.0 | 38/38 have executable URI | + +--------------------------------+-----------+--------------------------------+ | | comp_with_executable_hash | 0.3/10.0 | 1/38 have checksums | + +--------------------------------+-----------+--------------------------------+ | | comp_with_dependencies | 0.5/10.0 | 2/38 have dependencies | + +--------------------------------+-----------+--------------------------------+ | | spec_with_version_compliant | 10.0/10.0 | provided sbom spec: spdx, and | | | | | version: SPDX-2.3 is supported | + +--------------------------------+-----------+--------------------------------+ | | sbom_creation_timestamp | 10.0/10.0 | doc has creation timestamp | | | | | 2023-01-12T22:06:03Z | + +--------------------------------+-----------+--------------------------------+ | | sbom_authors | 10.0/10.0 | doc has 1 authors | + +--------------------------------+-----------+--------------------------------+ | | sbom_build_process | - | no-deterministic-field in spdx | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_uri | 10.0/10.0 | doc has URI | + +--------------------------------+-----------+--------------------------------+ | | sbom_dependencies | 10.0/10.0 | primary comp has 1 | | | | | dependencies | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_bomlinks | 0.0/10.0 | no bom links found | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_vuln | 10.0/10.0 | no-deterministic-field in spdx | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_signature | 0.0/10.0 | No signature or public key | | | | | provided! | +-----------------------+--------------------------------+-----------+--------------------------------+ | Semantic | sbom_required_fields | 10.0/10.0 | Doc Fields:true Pkg | | | | | Fields:true | + +--------------------------------+-----------+--------------------------------+ | | comp_with_licenses | 9.5/10.0 | 36/38 have licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_checksums | 0.3/10.0 | 1/38 have checksums | +-----------------------+--------------------------------+-----------+--------------------------------+ | Quality | comp_valid_licenses | 2.9/10.0 | 11/38 components with valid | | | | | license | + +--------------------------------+-----------+--------------------------------+ | | comp_with_primary_purpose | 0.0/10.0 | 0/38 components have primary | | | | | purpose specified | + +--------------------------------+-----------+--------------------------------+ | | comp_with_deprecated_licenses | 10.0/10.0 | 0/38 components have | | | | | deprecated licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_restrictive_licenses | 10.0/10.0 | 0/38 components have | | | | | restricted licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_any_vuln_lookup_id | 0.0/10.0 | 0/38 components have any | | | | | lookup id | + +--------------------------------+-----------+--------------------------------+ | | comp_with_multi_vuln_lookup_id | 0.0/10.0 | 0/38 components have multiple | | | | | lookup id | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_creator_and_version | 10.0/10.0 | 1/1 tools have creator and | | | | | version | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_primary_component | 10.0/10.0 | primary component found | +-----------------------+--------------------------------+-----------+--------------------------------+ | Sharing | sbom_sharable | 0.0/10.0 | doc has a sharable license | | | | | free 0 :: of 1 | +-----------------------+--------------------------------+-----------+--------------------------------+ | Structural | sbom_spec | 10.0/10.0 | provided sbom is in a | | | | | supported sbom format of | | | | | spdx,cyclonedx | + +--------------------------------+-----------+--------------------------------+ | | sbom_spec_version | 10.0/10.0 | provided sbom should be in | | | | | supported spec version for | | | | | spec:SPDX-2.3 and versions: | | | | | SPDX-2.1,SPDX-2.2,SPDX-2.3 | + +--------------------------------+-----------+--------------------------------+ | | sbom_file_format | 10.0/10.0 | provided sbom should be in | | | | | supported file format for | | | | | spec: json and version: | | | | | json,yaml,rdf,tag-value | + +--------------------------------+-----------+--------------------------------+ | | sbom_parsable | 10.0/10.0 | provided sbom is parsable | +-----------------------+--------------------------------+-----------+--------------------------------+ The o/p contains: ...

November 29, 2025 · 16 min · 3304 words · Vivek Sahu

Why SBOMs Are Becoming Essential for QA in Regulated Industries - Part 1

This is part one of a two-part series. Here, we look at why SBOMs matter for software quality assurance. In the next post, we’ll walk through how to put them into practice. If you work in QA and want to explore this further, feel free to reach out. In regulated sectors like banking, fintech, healthcare, insurance, and automotive, software quality isn’t just about functionality — it’s about risk, compliance, stability, and auditability. ...

November 16, 2025 · 4 min · 683 words · Ritesh Noronha

Sbom Generator Recommendations & Workflows

This guide helps software engineers, DevSecOps teams, and open-source maintainers choose and implement the right SBOM (Software Bill of Materials) generator for their projects — based on technology stack, ecosystem, and workflow maturity. General Guidelines When selecting and using SBOM generators, follow these best practices: Choose actively maintained tools: Select SBOM generators that are actively maintained, whether they are ecosystem-built generators or external tools. Prefer Open Source Software (OSS): OSS SBOM generators are improving rapidly and benefit from community contributions and transparency. ...

November 5, 2025 · 6 min · 1094 words · Ritesh Noronha