sbomqs icon indicating copy to clipboard operation
sbomqs copied to clipboard
verified publisher icon interlynk-io

Support for strict specification adherence with analysis

Open surendrapathak opened this issue 2 years ago • 3 comments

This is to track the implementation of checking strict adherence to the specifications and reporting issues in an actionable format.

Examples:

  1. https://sbombenchmark.dev/score/bom-v0.4.0_rails-5.0.0.1.spdx.tv , Issues tab: finds Creator tool without version.
  2. https://sbombenchmark.dev/score/trivy-0.39.0_debian-bookworm-20230320-slim.spdx.tv, Issues tab: finds various Licenses in inaccurate format.
  3. https://sbombenchmark.dev/score/bom-v0.4.0_debian-bookworm-20230320-slim.spdx.tv, Issues tab: package download location is incorrect.

Rules to check {WIP} SPDX

  1. License expressions are valid as per SPDX license expression rules.
  2. SPDXVersion is valid
  3. SPDXData License is valid
  4. Docnaamespace is a valid URL
  5. ExternalDocRef is a valid reference
  6. LicenseList follows Major/Minor versioning
  7. LicenseID incorporates only valid set of characters
  8. Creator is limited to Person/Organization and Tool
  9. Timestamp is valid
  10. SPDXID starts with SPDXRef and has valid characters
  11. Package Provider (Supplier/Originator) is a valid Person/Organization string
  12. Package Download Location is a valid URI

surendrapathak avatar Apr 18 '23 07:04 surendrapathak

Hi @surendrapathak , this has to be implemented under score command itself or other any separate command ?

viveksahu26 avatar Jul 22 '24 04:07 viveksahu26

I recommend a new 'validate' command for ensuring adherence to spec. The command validates basic structure and then rules setup above.

surendrapathak avatar Jul 22 '24 05:07 surendrapathak

I recommend a new 'validate' command for ensuring adherence to spec. The command validates basic structure and then rules setup above.

@riteshnoronha your thoughts on this ?

viveksahu26 avatar Jul 22 '24 06:07 viveksahu26