add bsi-v1 score functionality#433
Merged
riteshnoronha merged 12 commits intointerlynk-io:mainfrom Jun 17, 2025
Merged
Conversation
viveksahu26
force-pushed
the
feat/score_summary_bsi-v1
branch
from
bca3898 to
6b1b72b
Compare
Contributor
|
@viveksahu26 #331 (comment) comment about the parameter names. |
Collaborator
Author
|
The o/p of
./sbomqs score --category bsi-v2.0.0 sbomqs/interlynk-io-sbomqs-v1.0.7-sbomqs-linux-amd64.spdx.sbom.json
SBOM Quality by Interlynk Score:7.2 components:35 sbomqs/interlynk-io-sbomqs-v1.0.7-sbomqs-linux-amd64.spdx.sbom.json
+------------+------------------------------+-----------+--------------------------------+
| CATEGORY | FEATURE | SCORE | DESC |
+------------+------------------------------+-----------+--------------------------------+
| bsi-v2.0.0 | comp_with_associated_license | 10.0/10.0 | 35/35 have compliant licenses |
+ +------------------------------+-----------+--------------------------------+
| | comp_with_concluded_license | 10.0/10.0 | 35/35 have compliant licenses |
+ +------------------------------+-----------+--------------------------------+
| | comp_with_declared_license | 10.0/10.0 | 35/35 have compliant licenses |
+ +------------------------------+-----------+--------------------------------+
| | comp_with_dependencies | 9.7/10.0 | 34/35 have dependencies |
+ +------------------------------+-----------+--------------------------------+
| | comp_with_executable_hash | 9.7/10.0 | 34/35 have checksums |
+ +------------------------------+-----------+--------------------------------+
| | comp_with_executable_uri | 0.0/10.0 | 0/35 have executable URI |
+ +------------------------------+-----------+--------------------------------+
| | comp_with_name | 10.0/10.0 | 35/35 have names |
+ +------------------------------+-----------+--------------------------------+
| | comp_with_source_code_hash | 0.0/10.0 | 0/35 have source code hash |
+ +------------------------------+-----------+--------------------------------+
| | comp_with_source_code_uri | - | no-deterministic-field in spdx |
+ +------------------------------+-----------+--------------------------------+
| | comp_with_supplier | 0.0/10.0 | 0/35 have supplier names |
+ +------------------------------+-----------+--------------------------------+
| | comp_with_uniq_ids | 9.7/10.0 | 34/35 have unique ID's |
+ +------------------------------+-----------+--------------------------------+
| | comp_with_version | 10.0/10.0 | 35/35 have versions |
+ +------------------------------+-----------+--------------------------------+
| | sbom_authors | 10.0/10.0 | doc has 2 authors |
+ +------------------------------+-----------+--------------------------------+
| | sbom_build_process | 0.0/10.0 | doc has no build phase in |
| | | | lifecycle |
+ +------------------------------+-----------+--------------------------------+
| | sbom_creation_timestamp | 10.0/10.0 | doc has creation timestamp |
| | | | 2025-06-06T05:52:18Z |
+ +------------------------------+-----------+--------------------------------+
| | sbom_dependencies | 10.0/10.0 | primary comp has 34 |
| | | | dependencies |
+ +------------------------------+-----------+--------------------------------+
| | sbom_with_signature | 5.0/10.0 | Signature provided but |
| | | | verification failed! |
+ +------------------------------+-----------+--------------------------------+
| | sbom_with_uri | 10.0/10.0 | doc has URI |
+ +------------------------------+-----------+--------------------------------+
| | sbom_with_vuln | 10.0/10.0 | no vulnerabilities found |
+ +------------------------------+-----------+--------------------------------+
| | spec_with_version_compliant | 10.0/10.0 | provided sbom spec: spdx, and |
| | | | version: SPDX-2.3 is supported |
+------------+------------------------------+-----------+--------------------------------+
./sbomqs score --category bsi-v2.0 samples/sbomqs-cdx-cgomod.json
SBOM Quality by Interlynk Score:6.8 components:21 samples/sbomqs-cdx-cgomod.json
+------------+------------------------------+-----------+--------------------------------+
| CATEGORY | FEATURE | SCORE | DESC |
+------------+------------------------------+-----------+--------------------------------+
| bsi-v2.0.0 | comp_with_associated_license | 10.0/10.0 | 21/21 have compliant licenses |
+ +------------------------------+-----------+--------------------------------+
| | comp_with_concluded_license | 10.0/10.0 | 21/21 have compliant licenses |
+ +------------------------------+-----------+--------------------------------+
| | comp_with_declared_license | 10.0/10.0 | 21/21 have compliant licenses |
+ +------------------------------+-----------+--------------------------------+
| | comp_with_dependencies | 4.8/10.0 | 10/21 have dependencies |
+ +------------------------------+-----------+--------------------------------+
| | comp_with_executable_hash | 0.0/10.0 | 0/21 have checksums |
+ +------------------------------+-----------+--------------------------------+
| | comp_with_executable_uri | 0.0/10.0 | 0/21 have executable URI |
+ +------------------------------+-----------+--------------------------------+
| | comp_with_name | 10.0/10.0 | 21/21 have names |
+ +------------------------------+-----------+--------------------------------+
| | comp_with_source_code_hash | - | no-deterministic-field in cdx |
+ +------------------------------+-----------+--------------------------------+
| | comp_with_source_code_uri | 7.1/10.0 | 15/21 have source code URI |
+ +------------------------------+-----------+--------------------------------+
| | comp_with_supplier | 0.0/10.0 | 0/21 have supplier names |
+ +------------------------------+-----------+--------------------------------+
| | comp_with_uniq_ids | 10.0/10.0 | 21/21 have unique ID's |
+ +------------------------------+-----------+--------------------------------+
| | comp_with_version | 10.0/10.0 | 21/21 have versions |
+ +------------------------------+-----------+--------------------------------+
| | sbom_authors | 10.0/10.0 | doc has 1 authors |
+ +------------------------------+-----------+--------------------------------+
| | sbom_build_process | 0.0/10.0 | doc has no build phase in |
| | | | lifecycle |
+ +------------------------------+-----------+--------------------------------+
| | sbom_creation_timestamp | 10.0/10.0 | doc has creation timestamp |
| | | | 2023-05-04T02:34:37-07:00 |
+ +------------------------------+-----------+--------------------------------+
| | sbom_dependencies | 10.0/10.0 | primary comp has 11 |
| | | | dependencies |
+ +------------------------------+-----------+--------------------------------+
| | sbom_with_signature | 5.0/10.0 | Signature provided but |
| | | | verification failed! |
+ +------------------------------+-----------+--------------------------------+
| | sbom_with_uri | 10.0/10.0 | doc has URI |
+ +------------------------------+-----------+--------------------------------+
| | sbom_with_vuln | 10.0/10.0 | no vulnerabilities found |
+ +------------------------------+-----------+--------------------------------+
| | spec_with_version_compliant | 10.0/10.0 | provided sbom spec cyclonedx, |
| | | | and version 1.4 is supported |
+------------+------------------------------+-----------+--------------------------------+
The main thing to show here is |
viveksahu26
force-pushed
the
feat/score_summary_bsi-v1
branch
from
7250152 to
40c5bf0
Compare
viveksahu26
force-pushed
the
feat/score_summary_bsi-v1
branch
from
ce1f4d1 to
918b298
Compare
riteshnoronha
previously approved these changes
Jun 16, 2025
riteshnoronha
approved these changes
Jun 17, 2025
fvsamson
reviewed
Jun 18, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
closes #413
This PR adds the following changes:
docbysbomfor better readabilityDEPENDS_ONwill be counted as a dependencydepends_onBSI-V1.1andBSI-V2.0features tolistcommand also.