-
Notifications
You must be signed in to change notification settings - Fork 20
Project Origin
Project Origin: This project originated as a Google Summer of Code project described in the sections below. It is currently being maintained as part of the SPDX community and may no longer match the details described below. See the Project README for the current state
The minimum constituent parts of an overall Software Bill of Material (SBOM) – referred to as NTIA’s minimum elements – are three broad, interrelated areas (Data Fields, Automation Support, and Practices and Processes). These elements will enable an evolving approach to software transparency, capturing both the technology and the functional operation. The purpose of this project is to check if an SBOM document contains the minimum required data fields such as the supplier name, component name, component version, unique identifiers, dependency relationships, author of the SBOM, and timestamps.
This project implemented an NTIA Conformance Checker that checks whether a software bill of materials (SBOM) in SPDX format conforms to the NTIA’s Minimum elements guidance.
Phase 1: Building the NTIA Conformance Checker
- Implemented conformance checks for the document version, supplier name, component name, component version, unique identifiers, dependency relationships, author of the SBOM, and timestamps of an SBOM document.
Used the parse_anything library from tools-python to parse the SBOM document before checking whether it conforms to the NTIA’s Minimum elements guidance. Parsing errors and conformance errors are recorded using the ErrorMessages library from tools-python.
- Support built-in for SBOMs of different file types.
File Formats: XLSX Spreadsheet, XLS Spreadsheet, RDF/XML, Tag/Value, JSON, YAML, and XML.
- Implemented a command line tool for the NTIA Conformance Checker.
Used the Click library to create the command line interface.
- Automated test coverage of more than 90%.
- Project Repository:
- Pull Request:
Re-implemented the parse_file function in parse_anything in tools-python.
- Integrated the NTIA Conformance Checker into spdx-online-tools.
Implemented the ntia_conformance_checker.html in spdx-online-tools. Updated base.html, about.html, validate.html, apps.py, core.py, urls.py, and views.py to incorporate the integration of the NTIA Conformance Checker in the SPDX Online Tool.
- Pull Request:
Integrated the NTIA Conformance Checker into the SPDX Online Tool.
Firstly, I want to thank my mentors @licquia, @nishakm, @goneall, and @kestewart for their continuous guidance and support. Thank you for being there with me throughout the project! I know it is only a 12+ week program but I enjoyed each and every meeting we had. As someone who has never contributed to open source prior to GSoC, you did an incredible job introducing me to open source. It was an absolute pleasure working with you and I will try to stay connected with the community in the future!