Merge pull request #261 from viveksahu26/openchain_telco_report_#243

add support for OpenChain Telco compliance
interlynk-io · Jul 1, 2024 · 0a0a3e2 · 0a0a3e2
2 parents 1f002b9 + 32eefc4
commit 0a0a3e2
Show file tree

Hide file tree

Showing 28 changed files with 1,866 additions and 397 deletions.
diff --git a/Compliance.md b/Compliance.md
@@ -8,6 +8,8 @@ The goal of compliance reports is to verify if the sbom file adheres to these st
 We have explained below how sbomqs approaches compliance reports for BSI TR-03183-2 v1.1. We are not going to explain
 this technical guideline here, but rather go into our intepretation of it.
 
+## TR-03183: SBOM Requirements for CRA
+
 The [BSI TR-03183-2 v1.1](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2.pdf) specifies mandatory properties for an SBOM. Below is how we have derived all the values.
 
 | TR-03183-2 | TR-03183-2 field | CycloneDx | SPDX(2.3) | Notes |
@@ -30,3 +32,37 @@ The [BSI TR-03183-2 v1.1](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Pu
 | | `URI of the executable form`| component->externalReferences->type (distribution/distribution-intake) | PackageDownloadLocation | |
 | | `hash of source code`| no-deterministic-field | package->PackageVerificationCode | |
 | | `other uniq identifiers`| component->cpe, component->purl| package->externalReference->security (cpe/purl) | |
+
+## OpenChain Telco: SBOM Requirements for OCT
+
+The [OpenChain Telco](https://github.com/OpenChain-Project/Reference-Material/blob/master/SBOM-Quality/Version-1/OpenChain-Telco-SBOM-Guide_EN.md) specifies mandatory properties for an SBOM. Below is how we have derived all the values.
+| OpenTelco | Section ID | OpenTelco field | SPDX(2.3) | Notes |
+| :---     | :---    | :---    |     :---      |          :--- |
+| DataFormat |3.1 | `SBOM data format` | specs | SPDX2.2 and SPDX2.3 only |
+| SPDX elements | 3.2 | `SBOM info`  | SBOM type    | SPDX only |
+| | 3.2.2 | `spec version field`  | SPDXVersion | SPDX 2.3 and above |
+| | 3.2.3 | `SBOM license field` | DataLicense |  |
+| | 3.2.4 | `spec identifier field`  | SPDXID   | |
+| | 3.2.5 | `SBOM name field`| DocumentName |  |
+| | 3.2.6 | `SBOM namespace field`| DocumentNamespace |  |
+| | 3.2.7 | `SBOM Creator field`| creator | Tools and Organization must be present |
+| | 3.2.8 | `SBOM Created field`| created | Time at which document was created. |
+| | 3.2.9 | `SBOM Creator comment field`| comment | Some comment from the document creators |
+| | 3.2.10 | `Package Info` | package info | |
+| | 3.2.11 | `Package name field` | PackageName | |
+| | 3.2.12 | `Package SPDX identifier field` | SPDXID | |
+| | 3.2.13 | `Package version field` | PackageVersion | |
+| | 3.2.14 | `Package supplier field` | PackageSupplier | |
+| | 3.2.15 | `Package download location field` | PackageDownloadLocation | |
+| | 3.2.16 | `Files analyzed field` | FilesAnalyzed | |
+| | 3.2.17 | `Package checksum field` | PackageChecksum | we only look for sha-256 |
+| | 3.2.18 | `Concluded license field`| PackageLicenseConcluded | |
+| | 3.2.19 | `Declared license field`| PackageLicenseDeclared | |
+| | 3.2.20 | `Copyright text field` | PackageCopyrightText | |
+| | 3.2.21 | `External reference field`| ExternalRef | |
+| Machine Readable Data Format | 3.3 | `SBOM machine readable format` | specs | SPDX data-format in Tag-value or JSON |
+| Human Readable Data Format | 3.4 | `SBOM human readable format` | SBOM file format | Tag:Value or JSON |
+| SBOM Build Information | 3.5 | `SBOM Creator field` | SBOM creator | It must contain tool name, tool version and Organization |
+| Timing of SBOM delivery | 3.6 | `SBOM delivery time` | delivery time | |
+| Method of SBOM delivery | 3.7 | `SBOM delivery method` | delivery method | |
+| SBOM Scope | 3.8 | `SBOM scope` | sbom scope | |
diff --git a/cmd/compliance.go b/cmd/compliance.go
@@ -25,7 +25,7 @@ import (
 var complianceCmd = &cobra.Command{
 	Use:   "compliance <sbom file>",
 	Short: "compliance command checks an SBOM for compliance with SBOM standards",
-	Long: `Check if your SBOM complies with various SBOM standards like NTIA minimum elements, BSI TR-03183-2.
+	Long: `Check if your SBOM complies with various SBOM standards like NTIA minimum elements, BSI TR-03183-2, OpenChain Telco.
 	Generate a compliance report for an SBOM file.
 	`,
 	Args: func(cmd *cobra.Command, args []string) error {
@@ -59,6 +59,7 @@ func setupEngineParams(cmd *cobra.Command, args []string) *engine.Params {
 
 	// engParams.Ntia, _ = cmd.Flags().GetBool("ntia")
 	engParams.Cra, _ = cmd.Flags().GetBool("cra")
+	engParams.Oct, _ = cmd.Flags().GetBool("oct")
 
 	engParams.Debug, _ = cmd.Flags().GetBool("debug")
 
@@ -70,18 +71,19 @@ func setupEngineParams(cmd *cobra.Command, args []string) *engine.Params {
 func init() {
 	rootCmd.AddCommand(complianceCmd)
 
-	//Debug control
+	// Debug control
 	complianceCmd.Flags().BoolP("debug", "D", false, "enable debug logging")
 
-	//Output control
+	// Output control
 	complianceCmd.Flags().BoolP("json", "j", false, "output in json format")
 	complianceCmd.Flags().BoolP("basic", "b", false, "output in basic format")
 	complianceCmd.Flags().BoolP("detailed", "d", false, "output in detailed format")
-	//complianceCmd.Flags().BoolP("pdf", "p", false, "output in pdf format")
+	// complianceCmd.Flags().BoolP("pdf", "p", false, "output in pdf format")
 	complianceCmd.MarkFlagsMutuallyExclusive("json", "basic", "detailed")
 
-	//Standards control
+	// Standards control
 	// complianceCmd.Flags().BoolP("ntia", "n", false, "check for NTIA minimum elements compliance")
 	complianceCmd.Flags().BoolP("cra", "c", false, "BSI TR-03183-2 v1.1 compliance")
 	// complianceCmd.MarkFlagsMutuallyExclusive("ntia", "cra")
+	complianceCmd.Flags().BoolP("oct", "t", false, "OpenChainTelco compliance")
 }
diff --git a/go.mod b/go.mod
@@ -22,6 +22,11 @@ require (
 	sigs.k8s.io/release-utils v0.8.2
 )
 
+require (
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+)
+
 require (
 	github.com/ProtonMail/go-crypto v1.0.0 // indirect
 	github.com/anchore/go-struct-converter v0.0.0-20230627203149-c72ef8859ca9 // indirect
@@ -43,5 +48,6 @@ require (
 	golang.org/x/sys v0.20.0 // indirect
 	golang.org/x/text v0.15.0 // indirect
 	golang.org/x/tools v0.21.0 // indirect
+	gotest.tools v2.2.0+incompatible
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -52,6 +52,8 @@ github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8=
 github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
 github.com/package-url/packageurl-go v0.1.3 h1:4juMED3hHiz0set3Vq3KeQ75KD1avthoXLtmE3I0PLs=
 github.com/package-url/packageurl-go v0.1.3/go.mod h1:nKAWB8E6uk1MHqiS/lQb9pYBGH2+mdJ2PJc2s50dQY0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
@@ -164,6 +166,8 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
+gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 sigs.k8s.io/release-utils v0.8.2 h1:BKCKabsVkxy/rTRdPeH2t/v2NSU8tMt0fYIWby3hxKQ=
 sigs.k8s.io/release-utils v0.8.2/go.mod h1:u2Si4cUBWo2KBAL+7WB8d/HtwgqgssDAHepYu5+dpQY=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=

diff --git a/pkg/compliance/compliance.go b/pkg/compliance/compliance.go
@@ -17,19 +17,23 @@ package compliance
 import (
 	"context"
 	"errors"
+	"fmt"
 
 	"github.com/interlynk-io/sbomqs/pkg/logger"
 	"github.com/interlynk-io/sbomqs/pkg/sbom"
 )
 
-const CRA_REPORT = "CRA"
-const NTIA_REPORT = "NTIA"
+const (
+	CRA_REPORT  = "CRA"
+	NTIA_REPORT = "NTIA"
+	OCT_TELCO   = "OCT"
+)
 
 func ComplianceResult(ctx context.Context, doc sbom.Document, reportType, fileName, outFormat string) error {
 	log := logger.FromContext(ctx)
 	log.Debug("compliance.ComplianceResult()")
 
-	if reportType != CRA_REPORT && reportType != NTIA_REPORT {
+	if reportType != CRA_REPORT && reportType != NTIA_REPORT && reportType != OCT_TELCO {
 		log.Debugf("Invalid report type: %s\n", reportType)
 		return errors.New("invalid report type")
 	}
@@ -57,5 +61,13 @@ func ComplianceResult(ctx context.Context, doc sbom.Document, reportType, fileNa
 		ntiaResult(ctx, doc, fileName, outFormat)
 	}
 
+	if reportType == OCT_TELCO {
+		if doc.Spec().GetSpecType() != "spdx" {
+			fmt.Println("The Provided SBOM spec is other than SPDX. Open Chain Telco only support SPDX specs SBOMs.")
+			return nil
+		}
+		octResult(ctx, doc, fileName, outFormat)
+	}
+
 	return nil
 }