Skip to content

Latest commit

 

History

History
126 lines (101 loc) · 5.9 KB

README.md

File metadata and controls

126 lines (101 loc) · 5.9 KB

SBOM PlugFest Tool

v1.2.1-beta

changelog

SBOM PlugFest is a powerful tool to reveal key areas of difference between several Software Bills of Materials (SBOMs) and applying thorough metrics to identify any and all quality issues.

Supported SBOM Formats

  • CycloneDX 1.4 JSON
  • CycloneDX 1.4 XML
  • SPDX 2.3 Tag-Value

Quick Start

See System Requirements for more details

  1. cd gui
  2. npm ci
  3. npm run ...

Please select the command based on your use case:

Launching Platform to use (backend and frontend)

  • npm run electron-start: Launches an electron instance of the application

Developer usages:

  • npm run windows-build: Generates a standalone application (.exe) file and directory for deployment with the backend built and included with
  • npm run web-start: Runs an angular instance of the application for development purposes
  • npm run web-build: Generates an index.html and build folder for the angular application for web deployment

Note: Upon launch, please wait at least 40 seconds before importing SBOMs so that the system is able to load properly.

Comparison

Allows comparison across schemas and file formats, considering metadata and components.

SBOM Conflicts

  • Supplier: Supplier of the code are not the same (publisher)
  • Author: SBOMs have different authors
  • Timestamp: SBOMs have different timestamps
  • Origin Format: SBOMs have different origin formats
  • Schema Version: SBOMs have different schema versions (CycloneDX 1.4, SPDX 2.3, etc)
  • SBOM Version: SBOMs have different versions
  • Serial Number: SBOMs have different serial numbers

Component Conflicts

  • Missing: Component only found in one SBOM
  • Version: Component found in both SBOMs, but has different versions
  • License: Component found in both SBOMs, but has different licenses
  • Publisher: Component found in both SBOMs, but has different publisher
  • CPE: Component found in both SBOMs, but has different CPE
  • PURL: Component found in both SBOMs, but has different PURL
  • Hash: Component found in both SBOMs, but has different Hashes

Metrics

A series of metrics to access the quality of the SBOM.

Completeness

Assesses how complete the content of the SBOM is.

  • Minimum Elements Test: Checks for the Minimum Elements for an SBOM are present as recommend by the NTIA.
    • Supplier Name: The name of an entity that creates, defines, and identifies components.
    • Component Name: Designation assigned to a unit of software defined by the original supplier.
    • Version of the Component: Identifier used by the supplier to specify a change in software from a previously identified version.
    • Other Unique Identifiers: Other identifiers that are used to identify a component, or serve as a look-up key for relevant databases.

      Plugfest uses CPE and PURL

    • Author of SBOM Data: The name of the entity that creates the SBOM data for this component.
    • Timestamp: Record of the date and time of the SBOM data assembly
  • Valid PURL Test: Test to see if the PURL is correctly formatted
  • Valid CPE Test: Test to see if the CPE is correctly formatted

Uniqueness

Assesses the quality of the unique identifiers and ensure they match the stored SBOM data.

  • Has Hash Data Test: Test to see if hashes are stored
  • Valid Hash Data Test: Test to see the stored hashes match the reported hash algorithm
  • Accurate PURL Test: Test to see if the data stored in the PURL matches what is reported in the SBOM
  • Accurate CPE Test: Test to see if the data stored in the CPE matches what is reported in the SBOM

Registered

Assesses if the component is stored in a default repository

Licensing

Assesses if the SBOM has valid license data

  • Has License Data Test: Test to see if Licenses are stored
  • Valid SPDX License Test: Test to see if the License is stored in the SPDX License List and if they are depreciated

SPDX

Assesses for features that are required specifically for SPDX SBOMs.

  • Has Data License SPDX Test: Test to see if the SBOM's DataLicense field contain the CC0-1.0 license
  • Has SPDX ID Test: Test to see if each component has a valid SPDXID
  • Has Document Namespace Test: Test to see if the SBOM contains a valid document namespace
  • Has Download Location Test: Test to see if each component has a download location
  • Has Creation Info Test: Test to see if the SBOM contains creation information
  • Has Verification Code Test: Test to see if each component has a package verification code (FilesAnalyzed is true) or is it omitted (FilesAnalyzed if false)
  • Has Extracted Licenses Test: Test to see if there are any extracted licenses not on the SPDX license list in the SBOM
  • Extracted License Minimum Element Test: Test to see if the extracted licenses contain the required fields LicenseName, LicenseID, and LicenseCrossReference

CycloneDX

Assesses for features that are required specifically for CycloneDX SBOMs.

  • Has Bom-Ref Test: Test to see if a component has a unique bom-ref to reference inside the SBOM
  • Has Bom Version Test: Test to see if the SBOM has a version number declared

Contributors

Principal Investigator, Project Lead: Mehdi Mirakhorli

Project Manager: Chris Enoch

Developer Team Lead: Derek Garcia

Developer Team

  • Tina DiLorenzo
  • Tyler Drake
  • Matt London
  • Dylan Mulligan
  • Michael Alfonzetti
  • Ian Dunn
  • Asa Horn
  • Justin Jantzi
  • Matthew Morrison
  • Ethan Numan
  • Henry Orsagh
  • Juan Francisco Patino
  • Max Stein