SBOM PlugFest is a powerful tool to reveal key areas of difference between several Software Bills of Materials (SBOMs) and applying thorough metrics to identify any and all quality issues.
- CycloneDX 1.4 JSON
- CycloneDX 1.4 XML
- SPDX 2.3 Tag-Value
See System Requirements for more details
cd gui
npm ci
npm run ...
Please select the command based on your use case:
Launching Platform to use (backend and frontend)
npm run electron-start
: Launches an electron instance of the application
Developer usages:
npm run windows-build
: Generates a standalone application (.exe) file and directory for deployment with the backend built and included withnpm run web-start
: Runs an angular instance of the application for development purposesnpm run web-build
: Generates an index.html and build folder for the angular application for web deployment
Note: Upon launch, please wait at least 40 seconds before importing SBOMs so that the system is able to load properly.
Allows comparison across schemas and file formats, considering metadata and components.
- Supplier: Supplier of the code are not the same (publisher)
- Author: SBOMs have different authors
- Timestamp: SBOMs have different timestamps
- Origin Format: SBOMs have different origin formats
- Schema Version: SBOMs have different schema versions (CycloneDX 1.4, SPDX 2.3, etc)
- SBOM Version: SBOMs have different versions
- Serial Number: SBOMs have different serial numbers
- Missing: Component only found in one SBOM
- Version: Component found in both SBOMs, but has different versions
- License: Component found in both SBOMs, but has different licenses
- Publisher: Component found in both SBOMs, but has different publisher
- CPE: Component found in both SBOMs, but has different CPE
- PURL: Component found in both SBOMs, but has different PURL
- Hash: Component found in both SBOMs, but has different Hashes
A series of metrics to access the quality of the SBOM.
Assesses how complete the content of the SBOM is.
- Minimum Elements Test: Checks for the Minimum Elements for an SBOM
are present as recommend by the NTIA.
- Supplier Name: The name of an entity that creates, defines, and identifies components.
- Component Name: Designation assigned to a unit of software defined by the original supplier.
- Version of the Component: Identifier used by the supplier to specify a change in software from a previously identified version.
- Other Unique Identifiers: Other identifiers that are used to identify a component, or serve as a look-up key for relevant databases.
Plugfest uses CPE and PURL
- Author of SBOM Data: The name of the entity that creates the SBOM data for this component.
- Timestamp: Record of the date and time of the SBOM data assembly
- Valid PURL Test: Test to see if the PURL is correctly formatted
- Valid CPE Test: Test to see if the CPE is correctly formatted
Assesses the quality of the unique identifiers and ensure they match the stored SBOM data.
- Has Hash Data Test: Test to see if hashes are stored
- Valid Hash Data Test: Test to see the stored hashes match the reported hash algorithm
- Accurate PURL Test: Test to see if the data stored in the PURL matches what is reported in the SBOM
- Accurate CPE Test: Test to see if the data stored in the CPE matches what is reported in the SBOM
Assesses if the component is stored in a default repository
- Is Registered Test: Uses PURLs to verify if the component exists in the default PURL repository
Assesses if the SBOM has valid license data
- Has License Data Test: Test to see if Licenses are stored
- Valid SPDX License Test: Test to see if the License is stored in the SPDX License List and if they are depreciated
Assesses for features that are required specifically for SPDX SBOMs.
- Has Data License SPDX Test: Test to see if the SBOM's DataLicense field contain the CC0-1.0 license
- Has SPDX ID Test: Test to see if each component has a valid SPDXID
- Has Document Namespace Test: Test to see if the SBOM contains a valid document namespace
- Has Download Location Test: Test to see if each component has a download location
- Has Creation Info Test: Test to see if the SBOM contains creation information
- Has Verification Code Test: Test to see if each component has a package verification code (FilesAnalyzed is true) or is it omitted (FilesAnalyzed if false)
- Has Extracted Licenses Test: Test to see if there are any extracted licenses not on the SPDX license list in the SBOM
- Extracted License Minimum Element Test: Test to see if the extracted licenses contain the required fields LicenseName, LicenseID, and LicenseCrossReference
Assesses for features that are required specifically for CycloneDX SBOMs.
- Has Bom-Ref Test: Test to see if a component has a unique bom-ref to reference inside the SBOM
- Has Bom Version Test: Test to see if the SBOM has a version number declared
Principal Investigator, Project Lead: Mehdi Mirakhorli
Project Manager: Chris Enoch
Developer Team Lead: Derek Garcia
Developer Team
- Tina DiLorenzo
- Tyler Drake
- Matt London
- Dylan Mulligan
- Michael Alfonzetti
- Ian Dunn
- Asa Horn
- Justin Jantzi
- Matthew Morrison
- Ethan Numan
- Henry Orsagh
- Juan Francisco Patino
- Max Stein