Home » Tags

Scoring

sbomqs:v1.x.x Vs sbomqs:v2.x.x: What Changed?

Overview Hello Everyone 👋, We have released sbomqs:2.0 last week. This post is about major changes b/w sbomqs:1.x.x and sbomqs:2.0.x. Let’s understand, what exactly changed in sbomqs 2.0, and how it is different from the older 1.x scoring model? If you’ve been using sbomqs for a while, you know that 1.x scoring bundled everything together in a summarized way: $ sbomqs score samples/photon.spdx.json --legacy SBOM Quality by Interlynk Score:6.0 components:38 samples/photon.spdx.json +-----------------------+--------------------------------+-----------+--------------------------------+ | CATEGORY | FEATURE | SCORE | DESC | +-----------------------+--------------------------------+-----------+--------------------------------+ | NTIA-minimum-elements | comp_with_name | 10.0/10.0 | 38/38 have names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_version | 9.7/10.0 | 37/38 have versions | + +--------------------------------+-----------+--------------------------------+ | | comp_with_uniq_ids | 10.0/10.0 | 38/38 have unique ID's | + +--------------------------------+-----------+--------------------------------+ | | comp_with_supplier | 0.0/10.0 | 0/38 have supplier names | + +--------------------------------+-----------+--------------------------------+ | | sbom_creation_timestamp | 10.0/10.0 | doc has creation timestamp | | | | | 2023-01-12T22:06:03Z | + +--------------------------------+-----------+--------------------------------+ | | sbom_authors | 10.0/10.0 | doc has 1 authors | + +--------------------------------+-----------+--------------------------------+ | | sbom_dependencies | 10.0/10.0 | primary comp has 1 | | | | | dependencies | +-----------------------+--------------------------------+-----------+--------------------------------+ | bsi-v1.1 | comp_with_name | 10.0/10.0 | 38/38 have names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_version | 9.7/10.0 | 37/38 have versions | + +--------------------------------+-----------+--------------------------------+ | | comp_with_uniq_ids | 0.0/10.0 | 0/38 have unique ID's | + +--------------------------------+-----------+--------------------------------+ | | comp_with_supplier | 0.0/10.0 | 0/38 have supplier names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_licenses | 9.5/10.0 | 36/38 have compliant licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_checksums_sha256 | 0.3/10.0 | 1/38 have checksums | + +--------------------------------+-----------+--------------------------------+ | | comp_with_source_code_uri | - | no-deterministic-field in spdx | + +--------------------------------+-----------+--------------------------------+ | | comp_with_source_code_hash | 0.0/10.0 | 0/38 have source code hash | + +--------------------------------+-----------+--------------------------------+ | | comp_with_executable_uri | 10.0/10.0 | 38/38 have executable URI | + +--------------------------------+-----------+--------------------------------+ | | comp_with_dependencies | 0.5/10.0 | 2/38 have dependencies | + +--------------------------------+-----------+--------------------------------+ | | spec_with_version_compliant | 10.0/10.0 | provided sbom spec: spdx, and | | | | | version: SPDX-2.3 is supported | + +--------------------------------+-----------+--------------------------------+ | | sbom_creation_timestamp | 10.0/10.0 | doc has creation timestamp | | | | | 2023-01-12T22:06:03Z | + +--------------------------------+-----------+--------------------------------+ | | sbom_authors | 10.0/10.0 | doc has 1 authors | + +--------------------------------+-----------+--------------------------------+ | | sbom_dependencies | 10.0/10.0 | primary comp has 1 | | | | | dependencies | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_uri | 10.0/10.0 | doc has URI | +-----------------------+--------------------------------+-----------+--------------------------------+ | bsi-v2.0 | comp_with_name | 10.0/10.0 | 38/38 have names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_version | 9.7/10.0 | 37/38 have versions | + +--------------------------------+-----------+--------------------------------+ | | comp_with_uniq_ids | 0.0/10.0 | 0/38 have unique ID's | + +--------------------------------+-----------+--------------------------------+ | | comp_with_supplier | 0.0/10.0 | 0/38 have supplier names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_associated_license | 0.0/10.0 | 0/38 have compliant licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_concluded_license | 0.0/10.0 | 0/38 have compliant licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_declared_license | 9.5/10.0 | 36/38 have compliant licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_source_code_uri | - | no-deterministic-field in spdx | + +--------------------------------+-----------+--------------------------------+ | | comp_with_source_code_hash | 0.0/10.0 | 0/38 have source code hash | + +--------------------------------+-----------+--------------------------------+ | | comp_with_executable_uri | 10.0/10.0 | 38/38 have executable URI | + +--------------------------------+-----------+--------------------------------+ | | comp_with_executable_hash | 0.3/10.0 | 1/38 have checksums | + +--------------------------------+-----------+--------------------------------+ | | comp_with_dependencies | 0.5/10.0 | 2/38 have dependencies | + +--------------------------------+-----------+--------------------------------+ | | spec_with_version_compliant | 10.0/10.0 | provided sbom spec: spdx, and | | | | | version: SPDX-2.3 is supported | + +--------------------------------+-----------+--------------------------------+ | | sbom_creation_timestamp | 10.0/10.0 | doc has creation timestamp | | | | | 2023-01-12T22:06:03Z | + +--------------------------------+-----------+--------------------------------+ | | sbom_authors | 10.0/10.0 | doc has 1 authors | + +--------------------------------+-----------+--------------------------------+ | | sbom_build_process | - | no-deterministic-field in spdx | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_uri | 10.0/10.0 | doc has URI | + +--------------------------------+-----------+--------------------------------+ | | sbom_dependencies | 10.0/10.0 | primary comp has 1 | | | | | dependencies | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_bomlinks | 0.0/10.0 | no bom links found | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_vuln | 10.0/10.0 | no-deterministic-field in spdx | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_signature | 0.0/10.0 | No signature or public key | | | | | provided! | +-----------------------+--------------------------------+-----------+--------------------------------+ | Semantic | sbom_required_fields | 10.0/10.0 | Doc Fields:true Pkg | | | | | Fields:true | + +--------------------------------+-----------+--------------------------------+ | | comp_with_licenses | 9.5/10.0 | 36/38 have licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_checksums | 0.3/10.0 | 1/38 have checksums | +-----------------------+--------------------------------+-----------+--------------------------------+ | Quality | comp_valid_licenses | 2.9/10.0 | 11/38 components with valid | | | | | license | + +--------------------------------+-----------+--------------------------------+ | | comp_with_primary_purpose | 0.0/10.0 | 0/38 components have primary | | | | | purpose specified | + +--------------------------------+-----------+--------------------------------+ | | comp_with_deprecated_licenses | 10.0/10.0 | 0/38 components have | | | | | deprecated licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_restrictive_licenses | 10.0/10.0 | 0/38 components have | | | | | restricted licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_any_vuln_lookup_id | 0.0/10.0 | 0/38 components have any | | | | | lookup id | + +--------------------------------+-----------+--------------------------------+ | | comp_with_multi_vuln_lookup_id | 0.0/10.0 | 0/38 components have multiple | | | | | lookup id | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_creator_and_version | 10.0/10.0 | 1/1 tools have creator and | | | | | version | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_primary_component | 10.0/10.0 | primary component found | +-----------------------+--------------------------------+-----------+--------------------------------+ | Sharing | sbom_sharable | 0.0/10.0 | doc has a sharable license | | | | | free 0 :: of 1 | +-----------------------+--------------------------------+-----------+--------------------------------+ | Structural | sbom_spec | 10.0/10.0 | provided sbom is in a | | | | | supported sbom format of | | | | | spdx,cyclonedx | + +--------------------------------+-----------+--------------------------------+ | | sbom_spec_version | 10.0/10.0 | provided sbom should be in | | | | | supported spec version for | | | | | spec:SPDX-2.3 and versions: | | | | | SPDX-2.1,SPDX-2.2,SPDX-2.3 | + +--------------------------------+-----------+--------------------------------+ | | sbom_file_format | 10.0/10.0 | provided sbom should be in | | | | | supported file format for | | | | | spec: json and version: | | | | | json,yaml,rdf,tag-value | + +--------------------------------+-----------+--------------------------------+ | | sbom_parsable | 10.0/10.0 | provided sbom is parsable | +-----------------------+--------------------------------+-----------+--------------------------------+ The o/p contains: ...

November 29, 2025 · 16 min · 3304 words · Vivek Sahu

SBOM scoring into the Dependency-Track

Introduction Hey Everyone 👋, Today we will be discussing through a very specific practical, real-world use case, something that shows up the moment an organization starts taking software supply chain security seriously. Whether it’s because of internal security, or government push through compliance (like NTIA, BSI), or upcoming regulations like the EU CRA… On SBOM and SBOM Platforms These SBOM platforms help you monitor vulnerabilities, track licenses, and keep an eye on everything happening inside your software supply chain. And one of the popular OSS SBOM platform is: Dependency-Track. ...

November 25, 2025 · 7 min · 1415 words · Vivek Sahu