-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add ntia compliance report #286
add ntia compliance report #286
Conversation
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26 this does not look accurate to me. |
No, it's not yet completed. It's in process. I have simply added NTIA compliance readme fow now, code part is still left. |
Hey @riteshnoronha , can you go through this NTIA minimum elements compliance report readme and let me know what changes to be made. The recommended data-fields are there in the NTIA minimum elements report - on page 15, so that's why I have added. We can also mark it as optional field. Apart from that one thing I have noticed that the |
@riteshnoronha , any update here ? |
764dab0
to
4240071
Compare
Signed-off-by: Vivek Kumar Sahu <[email protected]> rename relation interface Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]> remove duplicate Signed-off-by: Vivek Kumar Sahu <[email protected]> increase the visiblity of variables, interfaces, struct for reuse Signed-off-by: Vivek Kumar Sahu <[email protected]> add pass test for ntia cdx as well as spdx part Signed-off-by: Vivek Kumar Sahu <[email protected]> update readme ntia compliance for remaining ones Signed-off-by: Vivek Kumar Sahu <[email protected]> fix alligment Signed-off-by: Vivek Kumar Sahu <[email protected]> re-update readme Signed-off-by: Vivek Kumar Sahu <[email protected]> re structure fields to ntia complaince report Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
0a6bd27
to
a089309
Compare
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Hey @riteshnoronha, somewhat it's ready for review. Checkout this ntia compliance feature. And if changes let me know. |
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Compliance.md
Outdated
| NTIA minimum elements | Section ID | NTIA Fields | CycloneDX |SPDX(2.3) | Notes | | ||
| :--- | :--- |:--- | :--- | :--- | :--- | | ||
| Automation Support | 1.1 | `Machine Readable Format` | BomFormat & data forrmat | SPDXversion & data forrmat | | | ||
| SBOM Data Fields | 2.1 | `Author of the SBOM` | metadata->authors, metadata->supplier | creator | | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For SPDX it should be creator->Person, creator->organization or creator->tool
Compliance.md
Outdated
| Automation Support | 1.1 | `Machine Readable Format` | BomFormat & data forrmat | SPDXversion & data forrmat | | | ||
| SBOM Data Fields | 2.1 | `Author of the SBOM` | metadata->authors, metadata->supplier | creator | | | ||
| | 2.2 | `Timestamp` | metadata->timestamp | created | | | ||
| | 2.3 | `present` | | | all package elements | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove this
Compliance.md
Outdated
| | 2.2 | `Timestamp` | metadata->timestamp | created | | | ||
| | 2.3 | `present` | | | all package elements | | ||
| Package Data Fields | 2.4 | `Package Name` | component->name | package->name | | | ||
| | 2.5 | `Dependency Relationship` | dependencies, composition | relationships | | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just dependencies here, composition is for depth.
Compliance.md
Outdated
| | 2.5 | `Dependency Relationship` | dependencies, composition | relationships | | | ||
| | 2.6 | `Supplier Name` | component->supplier | packageSupplier, packageOriginator | | | ||
| | 2.7 | `Version of Component` | component->version | package->version | | | ||
| | 2.8 | `Other Uniq IDs` | component->cpe, component->purl | DocumentNamespace, SPDXID | | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For SPDX it should also be cpe/purl
@@ -66,3 +66,21 @@ The [OpenChain Telco](https://github.com/OpenChain-Project/Reference-Material/bl | |||
| Timing of SBOM delivery | 3.6 | `SBOM delivery time` | delivery time | | | |||
| Method of SBOM delivery | 3.7 | `SBOM delivery method` | delivery method | | | |||
| SBOM Scope | 3.8 | `SBOM scope` | sbom scope | | | |||
|
|||
## NTIA minimum elements: SBOM Requirements for NTIA |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should also denotes field which are mandatory vs optional with an *
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
029b692
to
567737e
Compare
closes: #242
This PR will add NTIA minimum element compliance report. For now I have only updated README for NTIA minimum element compliance report.