Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add ntia compliance report #286

Merged
merged 21 commits into from
Sep 21, 2024
Merged

add ntia compliance report #286

merged 21 commits into from
Sep 21, 2024

Conversation

viveksahu26
Copy link
Collaborator

closes: #242

This PR will add NTIA minimum element compliance report. For now I have only updated README for NTIA minimum element compliance report.

@viveksahu26
add ntia compliance readme report
e547686 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26
correct numbering
c92ea61 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@riteshnoronha
Copy link
Contributor

@viveksahu26 this does not look accurate to me.

@viveksahu26
Copy link
Collaborator Author

No, it's not yet completed. It's in process. I have simply added NTIA compliance readme fow now, code part is still left.

@viveksahu26
Copy link
Collaborator Author

Hey @riteshnoronha , can you go through this NTIA minimum elements compliance report readme and let me know what changes to be made. The recommended data-fields are there in the NTIA minimum elements report - on page 15, so that's why I have added. We can also mark it as optional field.

Apart from that one thing I have noticed that the cra_score.go is 95% same as oct_score.go except some print statement. Similarly for cra_report.go and oct_report.go. And again for NTIA we have to repeat it and that would be ntia_score.go and ntia_report.go. Can we generalized these in a common package, which will contain both score.go and report.go functionality. WDT ??

@viveksahu26
Copy link
Collaborator Author

@riteshnoronha , any update here ?

@viveksahu26
added a ntia result
dde7932 
Signed-off-by: Vivek Kumar Sahu <[email protected]>

rename relation interface

Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26
add ntia compliance command
9d1d507 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26
add ntia compliance core functionality
73a9d3f 
Signed-off-by: Vivek Kumar Sahu <[email protected]>

remove duplicate

Signed-off-by: Vivek Kumar Sahu <[email protected]>

increase the visiblity of variables, interfaces, struct for reuse

Signed-off-by: Vivek Kumar Sahu <[email protected]>

add pass test for ntia cdx as well as spdx part

Signed-off-by: Vivek Kumar Sahu <[email protected]>

update readme ntia compliance for remaining ones

Signed-off-by: Vivek Kumar Sahu <[email protected]>

fix alligment

Signed-off-by: Vivek Kumar Sahu <[email protected]>

re-update readme

Signed-off-by: Vivek Kumar Sahu <[email protected]>

re structure fields to ntia complaince report

Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26
Merge branch 'main' into feat_ntia_compliance_report
ee04827 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26
update variables and function name as per casing
a089309 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26
Copy link
Collaborator Author

Hey @riteshnoronha, somewhat it's ready for review. Checkout this ntia compliance feature. And if changes let me know.

@viveksahu26
improve code readability
d876dcd 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26
complete test for fail case too
80053c4 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26
fix lintings errors
673a929 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
riteshnoronha
riteshnoronha requested changes Sep 2, 2024
View reviewed changes
Compliance.md Outdated
| NTIA minimum elements | Section ID | NTIA Fields | CycloneDX |SPDX(2.3) | Notes |
| :--- | :--- |:--- | :--- | :--- | :--- |
| Automation Support | 1.1 | `Machine Readable Format` | BomFormat & data forrmat | SPDXversion & data forrmat | |
| SBOM Data Fields | 2.1 | `Author of the SBOM` | metadata->authors, metadata->supplier | creator | |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For SPDX it should be creator->Person, creator->organization or creator->tool

Compliance.md Outdated
| Automation Support | 1.1 | `Machine Readable Format` | BomFormat & data forrmat | SPDXversion & data forrmat | |
| SBOM Data Fields | 2.1 | `Author of the SBOM` | metadata->authors, metadata->supplier | creator | |
| | 2.2 | `Timestamp` | metadata->timestamp | created | |
| | 2.3 | `present` | | | all package elements |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove this

Compliance.md Outdated
| | 2.2 | `Timestamp` | metadata->timestamp | created | |
| | 2.3 | `present` | | | all package elements |
| Package Data Fields | 2.4 | `Package Name` | component->name | package->name | |
| | 2.5 | `Dependency Relationship` | dependencies, composition | relationships | |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just dependencies here, composition is for depth.

Compliance.md Outdated
| | 2.5 | `Dependency Relationship` | dependencies, composition | relationships | |
| | 2.6 | `Supplier Name` | component->supplier | packageSupplier, packageOriginator | |
| | 2.7 | `Version of Component` | component->version | package->version | |
| | 2.8 | `Other Uniq IDs` | component->cpe, component->purl | DocumentNamespace, SPDXID | |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For SPDX it should also be cpe/purl

Compliance.md
@@ -66,3 +66,21 @@ The [OpenChain Telco](https://github.com/OpenChain-Project/Reference-Material/bl
| Timing of SBOM delivery | 3.6 | `SBOM delivery time` | delivery time | |
| Method of SBOM delivery | 3.7 | `SBOM delivery method` | delivery method | |
| SBOM Scope | 3.8 | `SBOM scope` | sbom scope | |

## NTIA minimum elements: SBOM Requirements for NTIA
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should also denotes field which are mandatory vs optional with an *

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@viveksahu26
Merge branch 'main' into feat_ntia_compliance_report
962bb40 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26
resolve liniting errors
ba04e91 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26
replace id by name
0f8f22f 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26
fix dependencies and compositions
9e54452 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26
add test ci workflow
8c1b3db 
Signed-off-by: Vivek Kumar Sahu <[email protected]>
@viveksahu26 viveksahu26 mentioned this pull request Sep 21, 2024
Open
@riteshnoronha riteshnoronha merged commit 2dd726f into interlynk-io:main Sep 21, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@riteshnoronha riteshnoronha riteshnoronha approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add NTIA minimum element compliance report.
2 participants
@viveksahu26 @riteshnoronha