add support for OpenChain Telco compliance #261
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
viveksahu26
changed the title
viveksahu26
force-pushed
the
openchain_telco_report_#243
branch
from
3f1b146 to
9636f7d
Compare
viveksahu26
force-pushed
the
openchain_telco_report_#243
branch
from
9636f7d to
7ed3d5d
Compare
Signed-off-by: Vivek Kumar Sahu <[email protected]> remove extra column Signed-off-by: Vivek Kumar Sahu <[email protected]> removed duplicate field Signed-off-by: Vivek Kumar Sahu <[email protected]> lite version of oct compliance implementation Signed-off-by: Vivek Kumar Sahu <[email protected]> add opentelco compliance for sbom specification Signed-off-by: Vivek Kumar Sahu <[email protected]> update compliance readme Signed-off-by: Vivek Kumar Sahu <[email protected]> replace "name" datafield by "specType" Signed-off-by: Vivek Kumar Sahu <[email protected]> add oct compliance for componenets Signed-off-by: Vivek Kumar Sahu <[email protected]> complete readme for openchain telco compliance Signed-off-by: Vivek Kumar Sahu <[email protected]> added section ID column Signed-off-by: Vivek Kumar Sahu <[email protected]> add compliance for other data fields Signed-off-by: Vivek Kumar Sahu <[email protected]> handle cyclonedx sbom for oct Signed-off-by: Vivek Kumar Sahu <[email protected]> add externalRef datafield for oct compliance Signed-off-by: Vivek Kumar Sahu <[email protected]> remove unwanted print stmt Signed-off-by: Vivek Kumar Sahu <[email protected]> handle exception Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
Signed-off-by: Vivek Kumar Sahu <[email protected]>
viveksahu26
force-pushed
the
openchain_telco_report_#243
branch
from
6e34ad1 to
70ee307
Compare
Signed-off-by: Vivek Kumar Sahu <[email protected]>
viveksahu26
force-pushed
the
openchain_telco_report_#243
branch
from
ae249a5 to
ef301ac
Compare
riteshnoronha
requested changes
Jun 29, 2024
Contributor
riteshnoronha
left a comment
riteshnoronha
left a comment
There was a problem hiding this comment.
Overall looks very good great work.
| ## OpenChain Telco: SBOM Requirements for OCT | ||
|
|
||
| The [OpenChain Telco](https://github.com/OpenChain-Project/Reference-Material/blob/master/SBOM-Quality/Version-1/OpenChain-Telco-SBOM-Guide_EN.md) specifies mandatory properties for an SBOM. Below is how we have derived all the values. | ||
| | OpenTelco | Section ID | OpenTelco field | SPDX(2.3) | Notes | |
Contributor
There was a problem hiding this comment.
Remove all the details in () not required. e.g DataLicense(SBOM_LICENSE) we don't require (SBOM_LICENSE)
|
|
||
| if reportType == OCT_TELCO { | ||
| if doc.Spec().GetSpecType() != "spdx" { | ||
| fmt.Println("The Provided SBOM spec is other than SPDX. Open Chain Telco only support SPDX specs SBOMs.") |
Signed-off-by: Vivek Kumar Sahu <[email protected]>
riteshnoronha
approved these changes
Jul 1, 2024
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR will contain feature for Open Telco SBOM compliance:
sbomqs compliance <sbom_file> --octwill look like: https://gist.github.com/viveksahu26/07a0c568beb9b31dbb813d3785507acaDescription of this PR:
compliancesub-command for OpenChain Telco SBOMs standards.referenceTypei.e.purlmust be present. UnderexternalRefsthere are list of reference with 3 fieldcategory type,package managerandlocator. There is bit a different way of scoring it. Suppose - out of 5 list of references, only 2 reference containspurl, then score would be like: (2/5)*10 = 4.