### High Quality SBOM's - Do you have them?
The Federal Administrator released its cyber security strategy [update](https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/) on March 3rd. One of the ways they would like to further the adoption of secure software development practices would be to encourage the development of SBOMs. We at Interlynk believe this is a great step forward for improving the security of the software supply chain.
An SBOM is a dependency blueprint of your application/framework/container. The promise of an SBOM is to make the following more deterministic and accurate
- Vulnerability detection & management
- Asset management
- IP & License management
- Incidence response
To achieve the above promises a **high quality sbom** would need have the following
- Identify & list all components of your product along with their transitive dependencies.
- List all your components along with their versions & content checksums.
- Include accurate component licenses.
- Include accurate lookup identifiers e.g. purls or CPEs.
- Quality SBOM depends a lot upon which stage of the lifecycle it has been generated at, we believe closer to the build time is ideal.
- Signed SBOM's.
- Should layout information based on industry standard specs like CycloneDX, SPDX and SWID.
From our conversations & participations in various forums, in addition to the above requirements, people would like to see
- Depth of dependencies.
- Validity of the content of the SBOM i.e is a sha1 checksum greater than 40char?
- Authoring tool detail and versions.
- Containers sboms.
- Completeness.
A high quality SBOM is not a new idea and the industry and regulators have been thinking about this since the rollout of Executive Order 14028. The NTIA has proposed [minimum elements](https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf), OWASP is building the [bom maturity model](https://scvs.owasp.org/bom-maturity-model/). As the federal push for SBOM adoption increases, we expect to see industry-specific customizations of these quality requirements and related quality assurance/enforcement products.
These are a ton of requirements, an SBOM which provides the above information, would be deemed a **high quality sbom**. The quality score of an SBOM serves as an indicator of the level of maturity of the SBOM generator tool.
Interlynk manages a collection of SBOMs, and it is our observation that the level of maturity of OSS SBOM generators requires further development. To facilitate our daily operations, we have considered creating a quality scoring tool to assist us in promptly assessing the usefulness of incoming SBOMs. This will enable us to establish policies that reject deficient SBOMs, such as those that lack component versions or vulnerability lookup IDs (CPE or PURL). Our aim was to construct a tool that is straightforward to execute, exceptionally comprehensive, simple to customize, and made available as open source.
[sbomqs](github.com/interlynk-io/sbomqs) is our contribution to the open source ecosystem. The tool currently has **20 scoring criterias**, and is increasing every week. Some of the key features of this tool
- Autodetect SBOM format and file-format.
- Customizable feature & category scoring selection.
- Machine consumable output formats like json.
- CI/CD compatible.
- Actively Maintained.
Our team utilizes this tool to support the advancement of OSS SBOM generators. Please review our interaction with the community by following the link provided [here](https://github.com/interlynk-io/sbomqs/discussions/39)
One of the cool features of this tool, is to quickly get an assessment of a set of sboms.
```
sbomqs score --dirpath . --reportFormat basic
6.4 ascii-boxes-sbom-cdx.json
8.0 hyperkube-v1.9.9.sha256-0154cef159c73ca72cbb86f68940a5f14ebbb72282057d5b20555be731423eb6.syft.0.58.0.spdx.json
7.1 julia.spdx
7.6 kube-addon-manager-v9.1.1.sha256-c0ed56727cd78700034f2f863d774412c78681fb6535456f5e5c420f4248c5a1.syft.0.58.0.spdx.json
3.6 kube-controller-manager-v1.9.9.sha256-933df6c025b5670911cd3c45e6dbf99fa082ae4b46bc0b25531bfa6fe2e1067a.syft.0.58.0.spdx.json
7.1 traefix-cdx.xml
```
The above output highlights a few points, the directory contains a mix of SPDX and CycloneDX sboms in json, xml and tag-value formats. The `kube-controller-manager-v1.9.9` has a pretty bad quality score, we can take deeper look at why that is the case.
```
sbomqs score --filepath kube-controller-manager-v1.9.9.sha256-933df6c025b5670911cd3c45e6dbf99fa082ae4b46bc0b25531bfa6fe2e1067a.syft.0.58.0.spdx.json
SBOM Quality Score:3.6 components:0 kube-controller-manager-v1.9.9.sha256-933df6c025b5670911cd3c45e6dbf99fa082ae4b46bc0b25531bfa6fe2e1067a.syft.0.58.0.spdx.json+-----------------------+--------------------------------+-----------+--------------------------------+
| CATEGORY | FEATURE | SCORE | DESC |
+-----------------------+--------------------------------+-----------+--------------------------------+
| NTIA-minimum-elements | Doc has authors | 10.0/10.0 | doc has 2 authors |
+ +--------------------------------+-----------+--------------------------------+
| | Doc has relationships | 0.0/10.0 | doc has 0 relationships |
+ +--------------------------------+-----------+--------------------------------+
| | Components have names | 0.0/10.0 | 0/0 have names |
+ +--------------------------------+-----------+--------------------------------+
| | Components have supplier names | 0.0/10.0 | 0/0 have supplier names |
+ +--------------------------------+-----------+--------------------------------+
| | Doc has creation timestamp | 10.0/10.0 | doc has creation timestamp |
| | | | 2022-10-04T17:10:01.939261542Z |
+ +--------------------------------+-----------+--------------------------------+
| | Components have uniq ids | 0.0/10.0 | 0/0 have unique ID's |
+ +--------------------------------+-----------+--------------------------------+
| | Components have versions | 0.0/10.0 | 0/0 have versions |
+-----------------------+--------------------------------+-----------+--------------------------------+
| Quality | Components have primary | 0.0/10.0 | 0/0 components have primary |
| | purpose defined | | purpose specified |
+ +--------------------------------+-----------+--------------------------------+
| | Components have no deprecated | 0.0/10.0 | no licenses found |
| | licenses | | |
+ +--------------------------------+-----------+--------------------------------+
| | Components have valid spdx | 0.0/10.0 | 0/0 components with valid |
| | licenses | | license |
+ +--------------------------------+-----------+--------------------------------+
| | Components have no restricted | 0.0/10.0 | no licenses found |
| | licenses | | |
+ +--------------------------------+-----------+--------------------------------+
| | Components have multiple | 0.0/10.0 | 0/0 components have multiple |
| | vulnerability lookup ids | | lookup id |
+ +--------------------------------+-----------+--------------------------------+
| | Components have any | 0.0/10.0 | 0/0 components have any lookup |
| | vulnerability lookup id | | id |
+-----------------------+--------------------------------+-----------+--------------------------------+
| Semantic | Components have checksums | 0.0/10.0 | 0/0 have checksums |
+ +--------------------------------+-----------+--------------------------------+
| | Components have licenses | 0.0/10.0 | 0/0 have licenses |
+ +--------------------------------+-----------+--------------------------------+
| | Doc has all required fields | 5.0/10.0 | Doc Fields:true Pkg |
| | | | Fields:false |
+-----------------------+--------------------------------+-----------+--------------------------------+
| Sharing | Doc sharable license | 10.0/10.0 | doc has a sharable license |
| | | | free 1 :: of 1 |
+-----------------------+--------------------------------+-----------+--------------------------------+
| Structural | Spec is parsable | 10.0/10.0 | provided sbom is parsable |
+ +--------------------------------+-----------+--------------------------------+
| | Spec Version | 10.0/10.0 | provided sbom should be in |
| | | | supported spec version for |
| | | | spec:SPDX-2.2 and versions: |
| | | | SPDX-2.1,SPDX-2.2,SPDX-2.3 |
+ +--------------------------------+-----------+--------------------------------+
| | SBOM Specification | 10.0/10.0 | provided sbom is in a |
| | | | supported sbom format of |
| | | | spdx,cyclonedx |
+ +--------------------------------+-----------+--------------------------------+
| | Spec File Format | 10.0/10.0 | provided sbom should be in |
| | | | supported file format for |
| | | | spec: json and version: |
| | | | json,yaml,rdf,tag-value |
+-----------------------+--------------------------------+-----------+--------------------------------+
```
Well as is pretty evident, this sbom has no components. The details allow you to drill down into its details, and get a good idea as to what is happening. This is an extreme case, we can now take a look at another example `hyperkube-v1.9.9` it got a good score of 8.0, lets see why it did not get a 10.0.
```
SBOM Quality Score:8.0 components:225 hyperkube-v1.9.9.sha256-0154cef159c73ca72cbb86f68940a5f14ebbb72282057d5b20555be731423eb6.syft.0.58.0.spdx.json
+-----------------------+--------------------------------+-----------+--------------------------------+
| CATEGORY | FEATURE | SCORE | DESC |
+-----------------------+--------------------------------+-----------+--------------------------------+
| NTIA-minimum-elements | Doc has relationships | 10.0/10.0 | doc has 6516 relationships |
+ +--------------------------------+-----------+--------------------------------+
| | Components have uniq ids | 10.0/10.0 | 225/225 have unique ID's |
+ +--------------------------------+-----------+--------------------------------+
| | Doc has authors | 10.0/10.0 | doc has 2 authors |
+ +--------------------------------+-----------+--------------------------------+
| | Components have supplier names | 0.0/10.0 | 0/225 have supplier names |
+ +--------------------------------+-----------+--------------------------------+
| | Components have names | 10.0/10.0 | 225/225 have names |
+ +--------------------------------+-----------+--------------------------------+
| | Components have versions | 10.0/10.0 | 225/225 have versions |
+ +--------------------------------+-----------+--------------------------------+
| | Doc has creation timestamp | 10.0/10.0 | doc has creation timestamp |
| | | | 2022-10-01T20:40:30.455480227Z |
+-----------------------+--------------------------------+-----------+--------------------------------+
| Quality | Components have multiple | 10.0/10.0 | 225/225 components have |
| | vulnerability lookup ids | | multiple lookup id |
+ +--------------------------------+-----------+--------------------------------+
| | Components have primary | 0.0/10.0 | 0/225 components have primary |
| | purpose defined | | purpose specified |
+ +--------------------------------+-----------+--------------------------------+
| | Components have any | 10.0/10.0 | 225/225 components have any |
| | vulnerability lookup id | | lookup id |
+ +--------------------------------+-----------+--------------------------------+
| | Components have no deprecated | 8.3/10.0 | 39/225 components have |
| | licenses | | deprecated licenses |
+ +--------------------------------+-----------+--------------------------------+
| | Components have no restricted | 10.0/10.0 | 0/225 components have |
| | licenses | | restricted licenses |
+ +--------------------------------+-----------+--------------------------------+
| | Components have valid spdx | 5.3/10.0 | 119/225 components with valid |
| | licenses | | license |
+-----------------------+--------------------------------+-----------+--------------------------------+
| Semantic | Doc has all required fields | 10.0/10.0 | Doc Fields:true Pkg |
| | | | Fields:true |
+ +--------------------------------+-----------+--------------------------------+
| | Components have licenses | 5.3/10.0 | 119/225 have licenses |
+ +--------------------------------+-----------+--------------------------------+
| | Components have checksums | 0.0/10.0 | 0/225 have checksums |
+-----------------------+--------------------------------+-----------+--------------------------------+
| Sharing | Doc sharable license | 10.0/10.0 | doc has a sharable license |
| | | | free 1 :: of 1 |
+-----------------------+--------------------------------+-----------+--------------------------------+
| Structural | Spec is parsable | 10.0/10.0 | provided sbom is parsable |
+ +--------------------------------+-----------+--------------------------------+
| | Spec Version | 10.0/10.0 | provided sbom should be in |
| | | | supported spec version for |
| | | | spec:SPDX-2.2 and versions: |
| | | | SPDX-2.1,SPDX-2.2,SPDX-2.3 |
+ +--------------------------------+-----------+--------------------------------+
| | SBOM Specification | 10.0/10.0 | provided sbom is in a |
| | | | supported sbom format of |
| | | | spdx,cyclonedx |
+ +--------------------------------+-----------+--------------------------------+
| | Spec File Format | 10.0/10.0 | provided sbom should be in |
| | | | supported file format for |
| | | | spec: json and version: |
| | | | json,yaml,rdf,tag-value |
+-----------------------+--------------------------------+-----------+--------------------------------+
```
Looking at the details it appears almost, half of its components dont have licenses, some have deprecated licenses, the packages have not been qualified as an application or library, and supplier names are missing.
We have more cool features we plan to add to this tool, if you would like to request features, please do, we love community participation. You can file features [here](https://github.com/interlynk-io/sbomqs/issues).
Thanks for reading this far.
Ritesh Noronha
CoFounder & CTO at Interlynk
Sign in with Wallet
Connect another wallet