Comments (10)
edonadei
commented on September 28, 2024
1
In regards of the document about minimum requirements provided by NTIA, it's written page 12 that Known Unknowns must be explicitly identified and that it's better to avoid erroneous assumptions. IMHO the NOASSERTION of the SPDX spec fits that definition.
from ntia-conformance-checker.
lumjjb
commented on September 28, 2024
1
Given that most SBOMs today don't meet the requirement, maybe we could have a mode or additional output for a score to show % of packages that are compliant (similar to how the sbom scorecards does it)
from ntia-conformance-checker.
goneall
commented on September 28, 2024
1
Agree - we could add this to a major release along with the other breaking change.
from ntia-conformance-checker.
jspeed-meyers
commented on September 28, 2024
@edonadei, thank you for filing this issue.
I'm open to your interpretation. @goneall or @kestewart, thoughts?
from ntia-conformance-checker.
goneall
commented on September 28, 2024
This is similar to #125 where we decided NOASSERTION would not be EO compliant.
from ntia-conformance-checker.
jspeed-meyers
commented on September 28, 2024
Okay, to clarify for myself the questions under discussion here.
One question seems to be:
If a package has:
- a blank supplier field or a supplier field with a
NOASSERTIONvalue AND - a blank originator field or an originator field with a
NOASSERTIONvalue
then is that package (and by, extension, that SBOM) not NTIA minimum elements compliant?
To the best of my understanding, it is not minimum elements compliant. Does anyone disagree with that understanding?
The next question is:
If a package has:
- a blank supplier field or a supplier field with a
NOASSERTIONvalue
then is that package (and by, extension, that SBOM) not NTIA minimum elements compliant?
Reading the code comments, the comments suggest that either the package supplier or the package originator fields satisfy the NTIA minimum elements "supplier" field. But when I read the SPDX documentation on mapping SPDX field to NTIA, it appears that only the SPDX package supplier field maps to the NTIA minimum elements supplier field. So, to me, then the code should be changed.
Hmmm. Thoughts?
from ntia-conformance-checker.
jspeed-meyers
commented on September 28, 2024
@lumjjb -- I'd be supportive of that as additional JSON output.
from ntia-conformance-checker.
jspeed-meyers
commented on September 28, 2024
Friendly ping to @edonadei. Thoughts on my September 13th response?
from ntia-conformance-checker.
jspeed-meyers
commented on September 28, 2024
@goneall: How would you like to proceed? This could be a candidate for a breaking change.
from ntia-conformance-checker.
jspeed-meyers
commented on September 28, 2024
Okay, I'll open a PR for review soon. This might require a little tinkering with the test suite too.
from ntia-conformance-checker.
Related Issues (20)
- Allow 'NOASSERTION' as Supplier and Originator per SPDX 2.3 standard HOT 31
- v0.3.1 is now broken with spdx/tools-python v0.8.0 HOT 8
- Cut New Release of ntia-conformance-checker HOT 2
- Fix or Remove Python Coverage App in PRs HOT 2
- Release pipeline to PyPI broken
- Validation messages when outputting JSON fails HOT 1
- Running ntia-checker without arguments fails with non-useful error
- Docs: Create a Release How-To
- ntia-checker fails for files under fileName must not be an absolute path HOT 5
- ntia-checker --version does not give the version HOT 4
- Bug: test the presence of the --file argument if another argument is present HOT 1
- Syntax of the short arguments HOT 3
- Cut a v1.0.0 Release? HOT 1
- Move Python Support From 3.8 to 3.9
- licenseId is not a case-sensitive as per spdx ,but this tool follows case-sensitve? HOT 13
- get_components_without_* functions shold return the SPDX ID of the component if there is one HOT 9
- Add Black and Pylint to Contributing Doc
- Getting confused about tri licensed package HOT 6
- Spelling: Minimum vs mininum HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ntia-conformance-checker.