sbomqs helps generating compliance reports for your SBOMs. We support industry standard regulations/guidelines
like NTIA minimum elements, BSI TR-03183 v1.1/v2.0 and Openchain Telco. The goal of compliance reports is to verify if the sbom file adheres to these standard, before they are distributed.
Below is how we map the various requirements to SBOM's of CycloneDX & SPDX formats
BSI guidelines follows a transitional system, to comply with the Technical Guideline, SBOMs must be generated using the most recent version, though the previous version is allowed for six months after an update, and SBOMs remain compliant based on the guideline valid at their delivery date.
- Released: September 20th 2024
- Contact: [email protected]
| TR-03183-2 | TR-03183-2 field | CycloneDx | SPDX(2.2.1) | SPDX(3.0) | Notes |
|---|---|---|---|---|---|
| 3.1 Definition of SBOM | vuln |
vulnerabilities | non-deterministic | TBD | Presence of Vuln Info is non-compliant, for SPDX package->externalReference->comment could be used, but non-determinstic |
| 4. SBOM formats | specification |
BomFormat | SPDXversion | TBD | CycloneDX and SPDX only |
specification version |
SpecVersion | SPDXversion | TBD | CycloneDX 1.5 and above, SPDX 2.2.1 and above | |
| 5.1 Level of Detail | Build SBOM |
metadata->lifecycles | no-deterministic-field | TBD | |
Depth |
dependencies, compositions | relationships | TBD | A complex topic, mostly resolved via attestations via compositions for CDX. For SPDX relationship comments is an option, but non-deterministic | |
| 5.2.1 Required SBOM fields | creator |
metadata->(authors/supplier/manufacturer) | creator->(Person/Organization) | TBD | Email or url only, if the name exists but email/url missing its deemed non-compliant |
timestamp |
metadata->timestamp | created | TBD | Non conformant time format is deemed non-compliant | |
| 5.2.2 Required Component fields | creator |
component(supplier/authors) | packageSupplier, packageOriginator | TBD | Looking for email or url, for spdx, we check supplier then originatior(manufacturer) |
name |
component->name | package->name | TBD | ||
version |
component->version | package->version | TBD | ||
filename |
component->type(file), name | PackageFileName | TBD | For CycloneDX properties could be used | |
dependencies |
dependencies, compositions | relationships | TBD | cdx we look for attestations via compositions, spdx nothing exists | |
associated license |
component->license->Expression | packageConcluded | TBD | we lookup sdpx,spdx-exceptions,aboutcode, and licenseRef- | |
hash |
component->hashes | package->checksums | TBD | we only look for sha-256 | |
executable |
TBD | Open to suggestions | |||
archive |
TBD | Open to suggestions | |||
structured |
TBD | Open to suggestions | |||
| 5.3.1 Additional SBOM fields | SBOM-URI |
serialNumber, version | namespace | TBD | for cdx bom-link is considered a URN |
| 5.3.2 Additional Component fields | source code uri |
component->externalReferences->type (vcs) | no-deterministic-field | TBD | |
URI of the executable form |
component->externalReferences->type (distribution/distribution-intake) | PackageDownloadLocation | TBD | ||
hash of source code |
no-deterministic-field | package->PackageVerificationCode | TBD | ||
other uniq identifiers |
component->cpe, component->purl | externalReference->security->cpe, externalReference->package_manager->purl | TBD | ||
concluded licenses |
license->acknowlegement(1.6+) | PackagConcluded | TBD | For cyclonedx only 1.6+ spec, it can be determined. | |
| 5.4.1 Optional data fields for each component | Declared licences |
comp->license->acknowledgement(1.6+) | PackageDeclared | TBD | For cyclonedx only 1.6+ spec, it can be determined |
Sourcecode Hash |
non-deterministic | packageVerificationCode | TBD | ||
| 8.1.11 Optional Digital Signature | signature |
signature | non-deterministic | TBD | DPX would normally provide this externally to the SBOM |
| 8.1.12 Optional Bom Links | bomlinks |
externalReference->Type(Bom) | externalDocumentRefs | TBD | SPDX if packages are prefixed with external Doc, those should be referenced. In both specs, sbomqs will check existence via url & localfile |
- Released: Nov 28th 2023
- Contact: [email protected]
| TR-03183-2 | TR-03183-2 field | CycloneDx | SPDX(2.3) | Notes |
|---|---|---|---|---|
| 4. SBOM formats | specification |
BomFormat | SPDXversion | CycloneDX and SPDX only |
specification version |
SpecVersion | SPDXversion | CycloneDX 1.4 and above, SPDX 2.3 and above | |
| 5.1 Level of Detail | Build SBOM |
metadata->lifecycles (1.5 and above) | no-deterministic-field | |
Depth |
dependencies, compositions | relationships | A complex topic, mostly resolved via attestations via compositions, but spdx lacks that field now | |
| 5.2.1 Required SBOM fields | creator |
metadata->authors, metadata->supplier | creator | We are primarily looking for email or url from these fields, if the name exists but email/url missing its deemed non-compliant |
| metadata->manufacturer | ||||
timestamp |
metadata->timestamp | created | ||
| 5.2.2 Required Component fields | creator |
component->supplier | packageSupplier, packageOriginator | Looking for email or url, for spdx, we check supplier then originatior(manufacturer) |
name |
component->name | package->name | ||
version |
component->version | package->version | ||
dependencies |
dependencies, compositions | relationships | cdx we look for attestations via compositions, spdx nothing exists | |
license |
component->license | packageConcluded, packageDeclated | we lookup sdpx,spdx-exceptions,aboutcode, and licenseRef- | |
hash |
component->hashes | package->checksums | we only look for sha-256 | |
| 5.3.1 Additional SBOM fields | SBOM-URI |
serialNumber, version | namespace | for cdx bom-link is considered a URN |
| 5.3.2 Additional Component fields | source code uri |
component->externalReferences->type (vcs) | no-deterministic-field | |
URI of the executable form |
component->externalReferences->type (distribution/distribution-intake) | PackageDownloadLocation | ||
hash of source code |
no-deterministic-field | package->PackageVerificationCode | ||
other uniq identifiers |
component->cpe, component->purl | package->externalReference->security (cpe/purl) |
The OpenChain Telco specifies mandatory properties for an SBOM. Below is how we have derived all the values.
- Released: May 22nd 2024
- Contact: https://lists.openchainproject.org/g/telco
| OpenTelco | Section ID | OpenTelco field | SPDX(2.3) | Notes |
|---|---|---|---|---|
| DataFormat | 3.1 | SBOM data format |
specs | SPDX2.2 and SPDX2.3 only |
| SPDX elements | 3.2 | SBOM info |
SBOM type | SPDX only |
| 3.2.2 | spec version field |
SPDXVersion | SPDX 2.3 and above | |
| 3.2.3 | SBOM license field |
DataLicense | ||
| 3.2.4 | spec identifier field |
SPDXID | ||
| 3.2.5 | SBOM name field |
DocumentName | ||
| 3.2.6 | SBOM namespace field |
DocumentNamespace | ||
| 3.2.7 | SBOM Creator field |
creator | Tools and Organization must be present | |
| 3.2.8 | SBOM Created field |
created | Time at which document was created. | |
| 3.2.9 | SBOM Creator comment field |
comment | Some comment from the document creators | |
| 3.2.10 | Package Info |
package info | ||
| 3.2.11 | Package name field |
PackageName | ||
| 3.2.12 | Package SPDX identifier field |
SPDXID | ||
| 3.2.13 | Package version field |
PackageVersion | ||
| 3.2.14 | Package supplier field |
PackageSupplier | ||
| 3.2.15 | Package download location field |
PackageDownloadLocation | ||
| 3.2.16 | Files analyzed field |
FilesAnalyzed | ||
| 3.2.17 | Package checksum field |
PackageChecksum | we only look for sha-256 | |
| 3.2.18 | Concluded license field |
PackageLicenseConcluded | ||
| 3.2.19 | Declared license field |
PackageLicenseDeclared | ||
| 3.2.20 | Copyright text field |
PackageCopyrightText | ||
| 3.2.21 | External reference field |
ExternalRef | ||
| Machine Readable Data Format | 3.3 | SBOM machine readable format |
specs | SPDX data-format in Tag-value or JSON |
| Human Readable Data Format | 3.4 | SBOM human readable format |
SBOM file format | Tag:Value or JSON |
| SBOM Build Information | 3.5 | SBOM Creator field |
SBOM creator | It must contain tool name, tool version and Organization |
| Timing of SBOM delivery | 3.6 | SBOM delivery time |
delivery time | |
| Method of SBOM delivery | 3.7 | SBOM delivery method |
delivery method | |
| SBOM Scope | 3.8 | SBOM scope |
sbom scope |
The NTIA specifies mandatory properties for an SBOM. Below is how we have derived all the values.
- Released:
- Contact:
| NTIA minimum elements | Section ID | NTIA Fields | CycloneDX | SPDX(2.3) | Notes |
|---|---|---|---|---|---|
| Automation Support | 1.1 | Machine Readable Format |
BomFormat & data forrmat | SPDXversion & data forrmat | optional |
| SBOM Data Fields | 2.1 | SBOM Authors |
metadata->authors, metadata->supplier | creator->Person, creator->organization or creator->tool | Mandatory |
| 2.2 | SBOM Timestamp |
metadata->timestamp | created | Mandatory | |
| 2.3 | SBOM Dependencies |
dependencies | relationships | Mandatory(number of dependencies primary comp have) | |
| Package Data Fields | 2.4 | Component Name |
component->name | package->name | Mandatory |
| 2.3 | Component Dependencies |
dependencies | relationships | Optional(Component to component dependencies) | |
| 2.6 | Component Supplier Name |
component->supplier | packageSupplier, packageOriginator | Mandatory | |
| 2.7 | Component Version |
component->version | package->version | Mandatory | |
| 2.8 | Component with Uniq IDs |
component->cpe, component->purl | externalRef->cpe, externalRef->purl | Mandatory | |
| Practices and Processes | 3.1 | Depth |
dependencies, compositions | relationships | optional |
| 3.2 | Known Unknowns |
optional |