Scoring

Overview This is the fourth part of our SBOM compliance series. In the previous post, we discussed BSI TR-03183-2 v1.1, Germany’s SBOM compliance framework, and how to validate your SBOM using sbomqs. In this post, we will discuss BSI TR-03183-2 v2.0, the updated version released in September 2024, what changed, what it now expects from an SBOM, and how to check compliance. Let’s go. Context 🇩🇪 Germany’s Federal Office for Information Security (BSI) released version 2.0.0 of TR-03183-2 on 2024-09-20. This is a significant update, not just a clarification pass. v2.0 adds new required fields, introduces a brand new optional tier, tightens the language around vulnerability information. ...

Overview This is the third part of our SBOM compliance series. In the previous post, we discussed Framing Software Component Transparency (FSCT), how it builds on NTIA and shifts the focus from minimum presence to meaningful transparency. In this post, we will discuss BSI TR-03183-2 v1.1, Germany’s SBOM compliance framework, why it exists, what it expects from an SBOM, and how it compares to what we’ve seen so far. Let’s go. ...

In this blog, we’ll be discussing about NTIA minimum element SBOM Compliance. This blog is the first part of an SBOM compliance series. The series is about covering all different SBOM compliances framework one by one and understand why they exist and what they actually expect from an SBOM and lastly to check whether your SBOM is compliant or not. Before diving into NTIA minimum element compliance specifically, let’s understand the core of SBOM: ...

Overview Hello Everyone 👋, We have released sbomqs:2.0 last week. This post is about major changes b/w sbomqs:1.x.x and sbomqs:2.0.x. Let’s understand, what exactly changed in sbomqs 2.0, and how it is different from the older 1.x scoring model? If you’ve been using sbomqs for a while, you know that 1.x scoring bundled everything together in a summarized way: $ sbomqs score samples/photon.spdx.json --legacy SBOM Quality by Interlynk Score:6.0 components:38 samples/photon.spdx.json +-----------------------+--------------------------------+-----------+--------------------------------+ | CATEGORY | FEATURE | SCORE | DESC | +-----------------------+--------------------------------+-----------+--------------------------------+ | NTIA-minimum-elements | comp_with_name | 10.0/10.0 | 38/38 have names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_version | 9.7/10.0 | 37/38 have versions | + +--------------------------------+-----------+--------------------------------+ | | comp_with_uniq_ids | 10.0/10.0 | 38/38 have unique ID's | + +--------------------------------+-----------+--------------------------------+ | | comp_with_supplier | 0.0/10.0 | 0/38 have supplier names | + +--------------------------------+-----------+--------------------------------+ | | sbom_creation_timestamp | 10.0/10.0 | doc has creation timestamp | | | | | 2023-01-12T22:06:03Z | + +--------------------------------+-----------+--------------------------------+ | | sbom_authors | 10.0/10.0 | doc has 1 authors | + +--------------------------------+-----------+--------------------------------+ | | sbom_dependencies | 10.0/10.0 | primary comp has 1 | | | | | dependencies | +-----------------------+--------------------------------+-----------+--------------------------------+ | bsi-v1.1 | comp_with_name | 10.0/10.0 | 38/38 have names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_version | 9.7/10.0 | 37/38 have versions | + +--------------------------------+-----------+--------------------------------+ | | comp_with_uniq_ids | 0.0/10.0 | 0/38 have unique ID's | + +--------------------------------+-----------+--------------------------------+ | | comp_with_supplier | 0.0/10.0 | 0/38 have supplier names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_licenses | 9.5/10.0 | 36/38 have compliant licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_checksums_sha256 | 0.3/10.0 | 1/38 have checksums | + +--------------------------------+-----------+--------------------------------+ | | comp_with_source_code_uri | - | no-deterministic-field in spdx | + +--------------------------------+-----------+--------------------------------+ | | comp_with_source_code_hash | 0.0/10.0 | 0/38 have source code hash | + +--------------------------------+-----------+--------------------------------+ | | comp_with_executable_uri | 10.0/10.0 | 38/38 have executable URI | + +--------------------------------+-----------+--------------------------------+ | | comp_with_dependencies | 0.5/10.0 | 2/38 have dependencies | + +--------------------------------+-----------+--------------------------------+ | | spec_with_version_compliant | 10.0/10.0 | provided sbom spec: spdx, and | | | | | version: SPDX-2.3 is supported | + +--------------------------------+-----------+--------------------------------+ | | sbom_creation_timestamp | 10.0/10.0 | doc has creation timestamp | | | | | 2023-01-12T22:06:03Z | + +--------------------------------+-----------+--------------------------------+ | | sbom_authors | 10.0/10.0 | doc has 1 authors | + +--------------------------------+-----------+--------------------------------+ | | sbom_dependencies | 10.0/10.0 | primary comp has 1 | | | | | dependencies | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_uri | 10.0/10.0 | doc has URI | +-----------------------+--------------------------------+-----------+--------------------------------+ | bsi-v2.0 | comp_with_name | 10.0/10.0 | 38/38 have names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_version | 9.7/10.0 | 37/38 have versions | + +--------------------------------+-----------+--------------------------------+ | | comp_with_uniq_ids | 0.0/10.0 | 0/38 have unique ID's | + +--------------------------------+-----------+--------------------------------+ | | comp_with_supplier | 0.0/10.0 | 0/38 have supplier names | + +--------------------------------+-----------+--------------------------------+ | | comp_with_associated_license | 0.0/10.0 | 0/38 have compliant licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_concluded_license | 0.0/10.0 | 0/38 have compliant licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_declared_license | 9.5/10.0 | 36/38 have compliant licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_source_code_uri | - | no-deterministic-field in spdx | + +--------------------------------+-----------+--------------------------------+ | | comp_with_source_code_hash | 0.0/10.0 | 0/38 have source code hash | + +--------------------------------+-----------+--------------------------------+ | | comp_with_executable_uri | 10.0/10.0 | 38/38 have executable URI | + +--------------------------------+-----------+--------------------------------+ | | comp_with_executable_hash | 0.3/10.0 | 1/38 have checksums | + +--------------------------------+-----------+--------------------------------+ | | comp_with_dependencies | 0.5/10.0 | 2/38 have dependencies | + +--------------------------------+-----------+--------------------------------+ | | spec_with_version_compliant | 10.0/10.0 | provided sbom spec: spdx, and | | | | | version: SPDX-2.3 is supported | + +--------------------------------+-----------+--------------------------------+ | | sbom_creation_timestamp | 10.0/10.0 | doc has creation timestamp | | | | | 2023-01-12T22:06:03Z | + +--------------------------------+-----------+--------------------------------+ | | sbom_authors | 10.0/10.0 | doc has 1 authors | + +--------------------------------+-----------+--------------------------------+ | | sbom_build_process | - | no-deterministic-field in spdx | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_uri | 10.0/10.0 | doc has URI | + +--------------------------------+-----------+--------------------------------+ | | sbom_dependencies | 10.0/10.0 | primary comp has 1 | | | | | dependencies | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_bomlinks | 0.0/10.0 | no bom links found | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_vuln | 10.0/10.0 | no-deterministic-field in spdx | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_signature | 0.0/10.0 | No signature or public key | | | | | provided! | +-----------------------+--------------------------------+-----------+--------------------------------+ | Semantic | sbom_required_fields | 10.0/10.0 | Doc Fields:true Pkg | | | | | Fields:true | + +--------------------------------+-----------+--------------------------------+ | | comp_with_licenses | 9.5/10.0 | 36/38 have licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_checksums | 0.3/10.0 | 1/38 have checksums | +-----------------------+--------------------------------+-----------+--------------------------------+ | Quality | comp_valid_licenses | 2.9/10.0 | 11/38 components with valid | | | | | license | + +--------------------------------+-----------+--------------------------------+ | | comp_with_primary_purpose | 0.0/10.0 | 0/38 components have primary | | | | | purpose specified | + +--------------------------------+-----------+--------------------------------+ | | comp_with_deprecated_licenses | 10.0/10.0 | 0/38 components have | | | | | deprecated licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_restrictive_licenses | 10.0/10.0 | 0/38 components have | | | | | restricted licenses | + +--------------------------------+-----------+--------------------------------+ | | comp_with_any_vuln_lookup_id | 0.0/10.0 | 0/38 components have any | | | | | lookup id | + +--------------------------------+-----------+--------------------------------+ | | comp_with_multi_vuln_lookup_id | 0.0/10.0 | 0/38 components have multiple | | | | | lookup id | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_creator_and_version | 10.0/10.0 | 1/1 tools have creator and | | | | | version | + +--------------------------------+-----------+--------------------------------+ | | sbom_with_primary_component | 10.0/10.0 | primary component found | +-----------------------+--------------------------------+-----------+--------------------------------+ | Sharing | sbom_sharable | 0.0/10.0 | doc has a sharable license | | | | | free 0 :: of 1 | +-----------------------+--------------------------------+-----------+--------------------------------+ | Structural | sbom_spec | 10.0/10.0 | provided sbom is in a | | | | | supported sbom format of | | | | | spdx,cyclonedx | + +--------------------------------+-----------+--------------------------------+ | | sbom_spec_version | 10.0/10.0 | provided sbom should be in | | | | | supported spec version for | | | | | spec:SPDX-2.3 and versions: | | | | | SPDX-2.1,SPDX-2.2,SPDX-2.3 | + +--------------------------------+-----------+--------------------------------+ | | sbom_file_format | 10.0/10.0 | provided sbom should be in | | | | | supported file format for | | | | | spec: json and version: | | | | | json,yaml,rdf,tag-value | + +--------------------------------+-----------+--------------------------------+ | | sbom_parsable | 10.0/10.0 | provided sbom is parsable | +-----------------------+--------------------------------+-----------+--------------------------------+ The o/p contains: ...

Introduction Hey Everyone 👋, Today we will be discussing through a very specific practical, real-world use case, something that shows up the moment an organization starts taking software supply chain security seriously. Whether it’s because of internal security, or government push through compliance (like NTIA, BSI), or upcoming regulations like the EU CRA… On SBOM and SBOM Platforms These SBOM platforms help you monitor vulnerabilities, track licenses, and keep an eye on everything happening inside your software supply chain. And one of the popular OSS SBOM platform is: Dependency-Track. ...