-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add ntia compliance report #286
Changes from 13 commits
e547686
c92ea61
dde7932
9d1d507
73a9d3f
ee04827
a089309
709611c
302ee12
a882fc3
d876dcd
80053c4
673a929
45d2e30
80ae86f
962bb40
ba04e91
0f8f22f
9e54452
8c1b3db
567737e
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -66,3 +66,21 @@ The [OpenChain Telco](https://github.com/OpenChain-Project/Reference-Material/bl | |
| Timing of SBOM delivery | 3.6 | `SBOM delivery time` | delivery time | | | ||
| Method of SBOM delivery | 3.7 | `SBOM delivery method` | delivery method | | | ||
| SBOM Scope | 3.8 | `SBOM scope` | sbom scope | | | ||
|
||
## NTIA minimum elements: SBOM Requirements for NTIA | ||
|
||
The [NTIA](https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2.pdf) specifies mandatory properties for an SBOM. Below is how we have derived all the values. | ||
|
||
| NTIA minimum elements | Section ID | NTIA Fields | CycloneDX |SPDX(2.3) | Notes | | ||
| :--- | :--- |:--- | :--- | :--- | :--- | | ||
| Automation Support | 1.1 | `Machine Readable Format` | BomFormat & data forrmat | SPDXversion & data forrmat | | | ||
| SBOM Data Fields | 2.1 | `Author of the SBOM` | metadata->authors, metadata->supplier | creator | | | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. For SPDX it should be creator->Person, creator->organization or creator->tool |
||
| | 2.2 | `Timestamp` | metadata->timestamp | created | | | ||
| | 2.3 | `present` | | | all package elements | | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. remove this |
||
| Package Data Fields | 2.4 | `Package Name` | component->name | package->name | | | ||
| | 2.5 | `Dependency Relationship` | dependencies, composition | relationships | | | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Just dependencies here, composition is for depth. |
||
| | 2.6 | `Supplier Name` | component->supplier | packageSupplier, packageOriginator | | | ||
| | 2.7 | `Version of Component` | component->version | package->version | | | ||
| | 2.8 | `Other Uniq IDs` | component->cpe, component->purl | DocumentNamespace, SPDXID | | | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. For SPDX it should also be cpe/purl |
||
| Practices and Processes | 3.1 | `Depth` | dependencies, compositions | relationships | | | ||
| | 3.2 | `Known Unknowns` | | | | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should also denotes field which are mandatory vs optional with an *
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done