SBOM Grader

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for BorekZnovustvoritel from gravatar.com BorekZnovustvoritel

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT
  • Author: mszymutk
  • Requires: Python >=3.12
Report project as malware

Project description

SBOM Grader

This project grades SBOMs according to Red Hat Product Security Guide to SBOMs.

Currently the script only fully supports SPDX v2.3 in json format. CycloneDX is partially supported in version v1.5 for Product SBOMs.

Installation

  • Clone this repository
  • Run 
    python3 -m venv .venv
source .venv/bin/activate
python3 -m pip install pdm
pdm install

Quick start

To show the command line options, run the following command:

sbomgrader --help

This script uses both STDOUT and STDERR. STDOUT receives the output of the grading, while STDERR reports anything causing troubles to the command execution unrelated to the SBOM file.

Usage options

If you only specify the SBOM document, the script will try to estimate the SBOM type and apply all time-related cookbooks for that type (e.g. if it finds that an SBOM is for an RPM, it will run both rpm build and rpm release cookbooks). The release-time cookbook will take precedence in establishing the final grade.

To specify the cookbook to be used, use -c option. This option must be a reference to an .y[a]ml file in the filesystem.

To specify SBOM type, the tool lets you specify SBOM type -tp and SBOM time -tm. SBOM type ise either product, image, image_index, rpm or generic. Generic type only checks the common features of other types, the other types are described [here] (https://redhatproductsecurity.github.io/security-data-guidelines/sbom/). The SBOM times are also explained in the article linked. You can select values build or release.

The default passing grade is B. This can be changed with the argument -g and the target value.

The script outputs data in three possible formats. The default one in Markdown, you can also select json or yaml.

Architecture

This project uses terms like Rules, RuleSets, Cookbooks and CookbookBundles. These are all representations of a test suite to run against an SBOM file.

CookbookBundles are composed of Cookbooks which reference RuleSets which are made of Rules.

Rules are specific tests to be run, RuleSets are suites of Rules.

Cookbook defines which force has to be applied on each rule for each SBOM type. You are completely free to create your own cookbook if the provided ones don't suit your needs. CookbookBundles are only aggregation of Cookbooks which ensures no test has to be run more than once on any document.

For details about Cookbooks, refer to the cookbooks/README.md file.

For details about RuleSets, refer to the rulesets/README.md file.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for BorekZnovustvoritel from gravatar.com BorekZnovustvoritel

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT
  • Author: mszymutk
  • Requires: Python >=3.12

Release history Release notifications | RSS feed

0.2.5

0.2.4

0.2.3

0.2.2

0.2.1

0.2.0

0.1.3

0.1.2

0.1.1

This version

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sbomgrader-0.1.0.tar.gz (48.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sbomgrader-0.1.0-py3-none-any.whl (31.0 kB view details)

Uploaded Python 3

File details

Details for the file sbomgrader-0.1.0.tar.gz.

File metadata

  • Download URL: sbomgrader-0.1.0.tar.gz
  • Upload date:
  • Size: 48.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/5.1.1 CPython/3.12.7

File hashes

Hashes for sbomgrader-0.1.0.tar.gz
Algorithm Hash digest
SHA256 f9b0d7d3b03beac0e89ed88be714fb36ba34b374883cc554146eb25a210781d0
MD5 d005ef70aa1d6f79a87d6024d1ae715a
BLAKE2b-256 a04e661ef933882b025410d53cf889f819a3d3827b00b10813c1a229fb28b360

See more details on using hashes here.

Provenance

The following attestation bundles were made for sbomgrader-0.1.0.tar.gz:

Publisher: release-pypi.yml on BorekZnovustvoritel/SBOM-Grader

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file sbomgrader-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: sbomgrader-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 31.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/5.1.1 CPython/3.12.7

File hashes

Hashes for sbomgrader-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 f85f4fcd2b686ec35a92a68fbc21d63c48df8e6fcff2a71b29b0e2dbaaf3bc25
MD5 f4b536cac6475543c8c0a06189711f7f
BLAKE2b-256 af9345944540a08f2b58c01c353dcebf73a4bedd75e0685f1be970b7dd4283cf

See more details on using hashes here.

Provenance

The following attestation bundles were made for sbomgrader-0.1.0-py3-none-any.whl:

Publisher: release-pypi.yml on BorekZnovustvoritel/SBOM-Grader

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page