Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add ntia compliance report #286

Merged

Conversation

viveksahu26
Copy link
Collaborator

closes: #242

This PR will add NTIA minimum element compliance report. For now I have only updated README for NTIA minimum element compliance report.

Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@riteshnoronha
Copy link
Contributor

@viveksahu26 this does not look accurate to me.

@viveksahu26
Copy link
Collaborator Author

No, it's not yet completed. It's in process. I have simply added NTIA compliance readme fow now, code part is still left.

@viveksahu26
Copy link
Collaborator Author

Hey @riteshnoronha , can you go through this NTIA minimum elements compliance report readme and let me know what changes to be made. The recommended data-fields are there in the NTIA minimum elements report - on page 15, so that's why I have added. We can also mark it as optional field.

Apart from that one thing I have noticed that the cra_score.go is 95% same as oct_score.go except some print statement. Similarly for cra_report.go and oct_report.go. And again for NTIA we have to repeat it and that would be ntia_score.go and ntia_report.go. Can we generalized these in a common package, which will contain both score.go and report.go functionality. WDT ??

@viveksahu26
Copy link
Collaborator Author

@riteshnoronha , any update here ?

@viveksahu26 viveksahu26 force-pushed the feat_ntia_compliance_report branch from 764dab0 to 4240071 Compare August 7, 2024 06:34
Signed-off-by: Vivek Kumar Sahu <[email protected]>

rename relation interface

Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>

remove duplicate

Signed-off-by: Vivek Kumar Sahu <[email protected]>

increase the visiblity of variables, interfaces, struct for reuse

Signed-off-by: Vivek Kumar Sahu <[email protected]>

add pass test for ntia cdx as well as spdx part

Signed-off-by: Vivek Kumar Sahu <[email protected]>

update readme ntia compliance for remaining ones

Signed-off-by: Vivek Kumar Sahu <[email protected]>

fix alligment

Signed-off-by: Vivek Kumar Sahu <[email protected]>

re-update readme

Signed-off-by: Vivek Kumar Sahu <[email protected]>

re structure fields to ntia complaince report

Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26 viveksahu26 force-pushed the feat_ntia_compliance_report branch from 0a6bd27 to a089309 Compare August 12, 2024 06:26
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26
Copy link
Collaborator Author

Hey @riteshnoronha, somewhat it's ready for review. Checkout this ntia compliance feature. And if changes let me know.

Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Compliance.md Outdated
| NTIA minimum elements | Section ID | NTIA Fields | CycloneDX |SPDX(2.3) | Notes |
| :--- | :--- |:--- | :--- | :--- | :--- |
| Automation Support | 1.1 | `Machine Readable Format` | BomFormat & data forrmat | SPDXversion & data forrmat | |
| SBOM Data Fields | 2.1 | `Author of the SBOM` | metadata->authors, metadata->supplier | creator | |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For SPDX it should be creator->Person, creator->organization or creator->tool

Compliance.md Outdated
| Automation Support | 1.1 | `Machine Readable Format` | BomFormat & data forrmat | SPDXversion & data forrmat | |
| SBOM Data Fields | 2.1 | `Author of the SBOM` | metadata->authors, metadata->supplier | creator | |
| | 2.2 | `Timestamp` | metadata->timestamp | created | |
| | 2.3 | `present` | | | all package elements |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove this

Compliance.md Outdated
| | 2.2 | `Timestamp` | metadata->timestamp | created | |
| | 2.3 | `present` | | | all package elements |
| Package Data Fields | 2.4 | `Package Name` | component->name | package->name | |
| | 2.5 | `Dependency Relationship` | dependencies, composition | relationships | |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just dependencies here, composition is for depth.

Compliance.md Outdated
| | 2.5 | `Dependency Relationship` | dependencies, composition | relationships | |
| | 2.6 | `Supplier Name` | component->supplier | packageSupplier, packageOriginator | |
| | 2.7 | `Version of Component` | component->version | package->version | |
| | 2.8 | `Other Uniq IDs` | component->cpe, component->purl | DocumentNamespace, SPDXID | |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For SPDX it should also be cpe/purl

@@ -66,3 +66,21 @@ The [OpenChain Telco](https://github.com/OpenChain-Project/Reference-Material/bl
| Timing of SBOM delivery | 3.6 | `SBOM delivery time` | delivery time | |
| Method of SBOM delivery | 3.7 | `SBOM delivery method` | delivery method | |
| SBOM Scope | 3.8 | `SBOM scope` | sbom scope | |

## NTIA minimum elements: SBOM Requirements for NTIA
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should also denotes field which are mandatory vs optional with an *

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@riteshnoronha riteshnoronha merged commit 2dd726f into interlynk-io:main Sep 21, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add NTIA minimum element compliance report.
2 participants