Framing Third Edition Compliance Checks

[surendrapathak]

CISA' Framing Document Third Edition is under community review and suggests SBOM field's described as

• Minimum Expected
• Recommended Practice
• Aspirational Goal

sbomqs should aim to

• identify Minimum Expected fields
• elevate result to 'Recommended Practice' when SBOM alone can confirm that (e.g. Relationship is present for all components)
• elevate result to 'Aspirational Goal' when SBOM alone can confirm that (e.g. Component license all details are included)

The result should be accessible as JSON to meet requirements discussed in CISA-SBOM-Community/SBOM-Generation#19

[viveksahu26]

This table will illustrate the summary of this draft in table format:

Attribute	Requirement Level	Minimum Requirement	Recommended Practice	Aspirational Goal	CycloneDX	SPDX	sbomqs
Author Name	Must	List all SBOM creators. Author may different from Supplier Name.	Include tools/versions used in SBOM creation.		✔️ (metadata->tools, metadata->authors), metadata->manufacturer	✔️ (CreationInfo->Creator )	✔️ (NTIA category - sbom_authors)
Timestamp	Must	Date and time SBOM was created (e.g., 2024-05-23T13:51:37Z).			✔️ (metadata->timestamp )	✔️ (CreationInfo->created)	✔️ (NTIA Category - sbom_creation_timestamp)
Type	Optional			Provide context for how and why the SBOM was created.	✔️ (metadata->component->type)	✔️ (package->primaryPackagePurpose)	✔️ (Quality Category - comp_with_primary_purpose)
Primary Component	Must	Identifies the root component of dependencies.			✔️ (metadata->component)	✔️ (Relationship->SPDXRef-DOCUMENT)	✔️ (Quality Category - sbom_with_primary_component)
Component Name	Must	Public name of component by supplier/creator.			✔️ (component->name )	✔️ (package->name )	✔️ (NTIA Category - comp_with_name)
Version	Must	Specifies software iteration (e.g., 1.0.0).			✔️ (component->version )	✔️ (package->versionInfo)	✔️ (NTIA Category - comp_with_version)
Supplier Name	Must	Entity that created the component.			✔️ (component->manufacturer, component->authors, and maybe component->supplier, )	✔️ (package->supplier, package->originator)	✔️ (NTIA Category - comp_with_supplier)
Unique Identifier	Must	Unique identifier (e.g., CPE, PURL, SWID, SWHID, omniborID, UUID).			✔️ (component->cpe, component->purl, component->omniborId, component->swhid, component->swid )	✔️ (package->externalRef )	✔️ (NTIA Category - comp_with_uniq_ids )
Cryptographic Hash	Must	Hash for the compiled binary (e.g., SHA-256).	Hash for the Primary Component using secure algorithms.		✔️ (component->hashes )	✔️ (package->checksum )	✔️ (Semantic Category comp_with_checksums )
Relationship	Must	Declare relationships between the primary component and direct dependencies. --> composition	Declare relationships for all components listed. --> dependencies	List all dependencies, included or not.	✔️ (dependencies, compositions	✔️ (relationships)	✔️ (sbomqs support in CRA and OCT compliance )
Relationship Assertions	Optional	Non-authoritative claims about components.	Make non-authoritative claims as needed.		✔️ ( dependencies, compositions	✔️ (relationships) )	✔️ (sbomqs support in CRA and OCT compliance )
License	Optional	Legal terms for software use, modification, and distribution.	Detailed license info for many components.	Detailed license info for all components with attestation.	✔️ (component->licenses )	✔️ (Package->licenseConcluded, Package->licenseDeclared )	✔️ ( Semantic Category - comp_with_licenses)
Copyright Holder	Must	Copyright info for Primary Component.	Copyright info for other components where available.	Ensure copyright info for all components.	✔️ (component->copyright )	✔️ (Package->copyrightText)	✔️ (supported in OCT Compliance report)

[viveksahu26]

@surendrapathak , we have almost all fields drafted in 3rd edition of minimum elements by NTIA. Like some of them are present in NTIA category, or Quality Category, etc or CRA/OCT compliance data fields, etc. Should we start working on implementation part of it ?