Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/spdx/ntia-conformance-checker
Check SPDX SBOM for NTIA minimum elements
https://github.com/spdx/ntia-conformance-checker
sbom sbom-tool
Last synced: 3 months ago
JSON representation
Check SPDX SBOM for NTIA minimum elements
- Host: GitHub
- URL: https://github.com/spdx/ntia-conformance-checker
- Owner: spdx
- License: apache-2.0
- Created: 2022-07-18T21:32:45.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2024-08-04T11:19:35.000Z (3 months ago)
- Last Synced: 2024-08-04T12:31:19.046Z (3 months ago)
- Topics: sbom, sbom-tool
- Language: Python
- Homepage:
- Size: 4.03 MB
- Stars: 49
- Watchers: 11
- Forks: 19
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Security: SECURITY.md
Awesome Lists containing this project
- awesome-sbom - NTIA Conformance Checker - Check SPDX SBOM for NTIA minimum elements (Community Repositories / Security Tools)
README
[![Build Status](https://github.com/spdx/ntia-conformance-checker/workflows/build/badge.svg)](https://github.com/spdx/ntia-conformance-checker/actions)
![CodeQL](https://github.com/spdx/ntia-conformance-checker/actions/workflows/codeql.yml/badge.svg)
[![PyPI version](https://badge.fury.io/py/ntia-conformance-checker.svg)](https://badge.fury.io/py/ntia-conformance-checker)
[![Pylint Version](https://img.shields.io/badge/linting-pylint-yellow)](https://badge.fury.io/py/ntia-conformance-checker)
[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/spdx/ntia-conformance-checker/badge)](https://scorecard.dev/viewer/?uri=github.com/spdx/ntia-conformance-checker)# NTIA Conformance Checker
This tool determines whether a [SPDX](https://spdx.dev/) software bill of materials (SBOM) document contains the National Telecommunications and Information Administration (NTIA) ["minimum elements."](https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf) The mapping of the NTIA elements required data fields to the SPDX specification can be found [here](https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k22-mapping-ntia-minimum-elements-to-spdx-fields).
The minimum elements include:
- Supplier Name
- Component Name
- Version of the Component
- Other Unique Identifiers
- Dependency Relationship
- Author of SBOM Data
- TimestampAs defined by the NTIA, the minimum elements are "the essential pieces that support basic SBOM functionality and will serve as the foundation for an evolving approach to software transparency."
## Installation
*Installation Method #1*: Install from the [Python Package Index (PyPI)](https://pypi.org/project/ntia-conformance-checker/) with `pip`.
`pip install ntia-conformance-checker`
*Installation Method #2*: Install locally. Clone the repo and install dependencies using the following commands:
```bash
git clone https://github.com/spdx/ntia-conformance-checker.git
cd ntia-conformance-checker
pip install .
```The tool requires Python 3 (3.8+). It is recommended to use a virtual python environment especially
if you are using different versions of python. `virtualenv` is a tool for setting up virtual python environments which
allows you to have all the dependencies for the tool set up in a single environment, or have different environments set
up for testing using different versions of Python.*Installation Method #3*: Users comfortable with containers, specifically Docker, can also pull a container that includes `ntia-conformance-checker`.
One version is hosted on [Chainguard's registry](https://images.chainguard.dev/directory/image/ntia-conformance-checker/overview):
```
docker pull cgr.dev/chainguard/ntia-conformance-checker:latest
```Another version is hosted on [Docker Hub](https://hub.docker.com/r/chainguard/ntia-conformance-checker):
```
docker pull chainguard/ntia-conformance-checker:latest
```## CLI Usage
```
Usage: ntia-checker [OPTIONS]Options:
--file TEXT The file to be parsed
--output [print|json] Output format [default: print]
-v, --verbose Use verbose printing
--output_path TEXT Filepath for optionally storing output.
-h, --help Show this message and exit.
```The user can then analyze a particular file:
```bash
ntia-checker --file sbom.json
```To generare the output in machine-readable JSON, run:
```bash
ntia-checker --file sbom.spdx --output json
```## Usage as a Library
`ntia-conformance-checker` can also be imported as a library. For example:
```python
import ntia_conformance_checker as ntia
sbom = ntia.SbomChecker("SBOM_filepath")
print(sbom.ntia_minimum_elements_compliant)
```Additional properties and methods associated with `SbomChecker()` can be found in [`sbom_checker.py`](ntia_conformance_checker/sbom_checker.py).
# History
This is the result of an initial [Google Summer of Code (GSoC)](https://summerofcode.withgoogle.com/) contribution in 2022 by
[@linynjosh](https://github.com/linynjosh) and is maintained
by a community of SPDX adopters and enthusiasts.# License
[Apache-2.0](LICENSE)
# Dependencies
* [spdx-tools](https://pypi.org/project/spdx-tools/) used for parsing the SPDX SBOM.
# Support
* Submit issues, questions or feedback at https://github.com/spdx/ntia-conformance-checker/issues
* Join the discussion on https://lists.spdx.org/g/spdx-tech and https://spdx.dev/participate/tech/# Contributing
Contributions are very welcome! See [CONTRIBUTING.md](./CONTRIBUTING.md) for instructions on how to contribute to the codebase.
# Further help
Check out the [frequently asked questions](FAQ.md) document.