Check SPDX SBOM for NTIA minimum elements and CISA baseline attributes
Project description
NTIA Conformance Checker
Validate the SPDX SBOM against NTIA, CISA, and other minimum element requirements.
This tool determines whether a SPDX software bill of materials (SBOM) document contains informational items as required by a certain specification.
It supports SPDX specification versions 2.2, 2.3, and 3.0.
Note that while the SPDX 3.0 specification allows for multiple SBOMs within a single SPDX document, this tool currently limits support to one SBOM per document.
A web-based version of the tool is available (no installation needed) at: https://tools.spdx.org/app/ntia_checker/
Conformance
Currently, the supported specifications are:
- 2021 National Telecommunications and Information Administration (NTIA) "minimum elements."
- 2024 CISA Framing Software Component Transparency (FSCT3) "minimum expected."
The minimum elements include:
- Supplier Name
- Component Name
- Version of the Component
- Other Unique Identifiers
- Dependency Relationship
- Author of SBOM Data
- Timestamp
As defined by the NTIA, the minimum elements are "the essential pieces that support basic SBOM functionality and will serve as the foundation for an evolving approach to software transparency."
In addition to information similar to NTIA minimum elements, FSCT3 requires these Baseline Attributes as part of its "minimum expected":
- License
- Copyright Holder (inside Copyright Notice)
Mappings:
- The mapping of the NTIA elements required data fields to the SPDX 2.3 specification can be found here.
- The mapping of FSCT3 Baseline Attributes to ISO/IEC 5962:2021 (SPDX 2.2.1) and SPDX 3.0 can be found at Section 2.5 of the FSCT3 document.
- More comparison of SBOM requirements and their mapping to SPDX can be found in this slide from Takashi Ninjouji of OpenChain Japan SBOM Sub-WG, presented at SPDX General Meeting 2024-12-05.
Installation
This tool requires Python 3.10 or newer. Its dependencies may require a more recent version of Python.
Installation Method #1:
Install from the Python Package Index (PyPI) with pip.
pip install ntia-conformance-checker
Installation Method #2: Install from local source. Clone the repo and install dependencies using the following commands:
git clone https://github.com/spdx/ntia-conformance-checker.git
cd ntia-conformance-checker
pip install .
It is recommended to use a virtual environment, especially
if you work with multiple Python versions.
virtualenv is a tool for creating isolated Python environments;
it lets you keep a project's dependencies in a single environment
or create separate environments for testing with different Python versions.
CLI usage
usage: sbomcheck [OPTIONS] PATH
positional arguments:
PATH Filepath for SBOM input
options:
-h, --help show this help message and exit
-s, --sbom-spec {spdx2,spdx3}
SBOM specification of the input file; see below for details [default: spdx2]
-c, --comply {fsct3-min,ntia}
Compliance standards to check against; see below for details [default: ntia]
--skip-validation Skip validation
-r, --output {html,json,print,quiet}
Report output type; see below for details [default: print]
-o, --output-file PATH
Filepath for report output; if omitted, prints to console
-v, --verbose Print more information (debug)
-V, --version Display version of sbomcheck
choices:
SBOM specifications (for --sbom-spec):
spdx2 Software Package Data Exchange (SPDX) 2.x
spdx3 System Package Data Exchange (SPDX) 3.x
Compliance standards (for --comply):
fsct3-min 2024 CISA Framing Software Component Transparency (minimum expectation)
ntia 2021 NTIA SBOM Minimum Elements
Report output types (for --output):
html Report in HTML format
json Report in JSON format
print Print report to console
quiet No output unless there are errors
Examples:
sbomcheck sbom.spdx
sbomcheck -s spdx3 -c fsct3-min -v sbom.json
sbomcheck sbom.yaml --output json --output-file report.json
The user can then analyze a particular file:
sbomcheck sbom.json
To generate the output in machine-readable JSON, run:
sbomcheck sbom.spdx --output json
To analyze an SPDX 3 JSON file, run:
sbomcheck sbom.json --sbom-spec spdx3
Use -h for help:
sbomcheck -h
Usage as a library
ntia-conformance-checker can also be imported as a library. For example:
from ntia_conformance_checker import SbomChecker
sbom_checker = SbomChecker("SBOM_filepath")
print(sbom_checker.compliant)
See the API documentation at: https://spdx.github.io/ntia-conformance-checker/
Additional properties and methods can be found in BaseChecker class
at base_checker.py.
Specific properties and methods for a particular specification can be found
at the checker for that specification. For example, NTIAChecker class
at ntia_checker.py.
Online usage
With the SPDX Online Tool, you can check the SBOM conformance without the need to install the Python package.
Go to this page: https://tools.spdx.org/app/ntia_checker/.
HTML output
The HTML output is organized into four distinct div blocks, each with a specific CSS class for easy styling and targeting:
- Errors (parsing, etc.):
<div class="conformance-err"> - Conformance results:
<div class="conformance-res"> - Components missing required information:
<div class="conformance-mis"> - Detailed validation information:
<div class="conformance-val">
History
- The project is the result of an initial Google Summer of Code (GSoC) contribution in 2022 by @linynjosh.
- SPDX 3 support and improved FSCT3 checker, available in v4.0.0, are GSoC 2025 contribution by @bact.
- The project is maintained by a community of SPDX adopters and enthusiasts.
- See SPDX's participation in Google Summer of Code (GSoC): https://github.com/spdx/GSoC.
License
Dependencies
- spdx-tools used for parsing the SPDX 2 SBOM.
- spdx-python-model used for parsing the SPDX 3 SBOM.
Support
- Submit issues, questions or feedback at https://github.com/spdx/ntia-conformance-checker/issues
- Join the discussion on https://lists.spdx.org/g/spdx-tech and https://spdx.dev/participate/tech/
Contributing
Contributions are very welcome! See CONTRIBUTING.md for instructions on how to contribute to the codebase.
Further help
Check out the frequently asked questions document.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ntia_conformance_checker-5.0.3.tar.gz.
File metadata
- Download URL: ntia_conformance_checker-5.0.3.tar.gz
- Upload date:
- Size: 4.2 MB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
af4262a06560fcdaf05025522907977977c904538d4697fc44bc72bc29a853f2
|
|
| MD5 |
4c445d1df5e2b00d70d62e20f3d6151e
|
|
| BLAKE2b-256 |
91353f10225852dffe0b9cf368cc63d13c5600ca4102e23d02eca9aa961e53ea
|
File details
Details for the file ntia_conformance_checker-5.0.3-py3-none-any.whl.
File metadata
- Download URL: ntia_conformance_checker-5.0.3-py3-none-any.whl
- Upload date:
- Size: 31.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
080229acb305624a4aa69ef055df4d974f846bb0880b6d03db30793e91fc70d9
|
|
| MD5 |
17c7bd4eeb6312e701078a08f2bf201d
|
|
| BLAKE2b-256 |
f40374d8ce17f2deedc3e21c5c6789a4c542f4ca00e32145f57b03eee1658512
|
